Before the heist, the plan. Meticulously laid out by the mastermind and followed by the expert team of criminals, the gang needs to execute it perfectly to have a chance of escaping with the loot. It sounds too much like hard work, to be honest, especially since anyone can steal online, without expertise or even experience.
Today, those wanting to turn a tidy (but morally dubious) profit need to look no further than the internet to take their first step. The blueprint for executing successful cyber-attacks is now at the fingertips of cyber-criminals globally, through online forums, marketplaces and communities. One form of attack, growing in popularity, is credential stuffing.
Credential stuffing attacks see cyber-criminals using trial and error to ‘stuff’ stolen usernames and passwords into log-in pages, at high velocity, to gain fraudulent access to accounts. Numerous data breaches have meant millions of login credentials have landed into the hands of cyber-criminals in the form of ‘combo lists’—compilations of matching usernames and passwords—sold online.
Manually sifting through stolen combo lists won’t yield results. Enter bots. Bots can check thousands of credentials every minute, which makes finding the needle in the haystack not just possible but straightforward.
With around 65% of people re-using passwords, one successful credential combination can open multiple user accounts and a trove of sensitive data, making credential stuffing extremely profitable.
The ‘perfect storm’ for cyber-criminals
Widespread uncertainty and loss of income, caused by the pandemic, is fueling the underground economy. A ‘perfect storm’ is brewing—masses of people are stuck at home with time on their hands, there’s more internet traffic creating more ‘noise’ making criminal activity harder to detect, and the world faces economic downturn. These factors make the promise of getting rich quick via credential stuffing not only more achievable, but less risky and more appealing.
When you throw lowering the barriers to entry into the mix, the threat posed by credential stuffing attacks intensifies. In the past, the dark web was the go-to marketplace for cyber-criminals to buy and sell stolen credentials. Access to the dark web requires a little know-how, but more marketplaces offering stolen credentials have cropped up on the clear web.
Once users are in, these marketplaces offer cyber-criminals all the tools and tutorials needed to execute sophisticated credential stuffing attacks. Cyber-criminals no longer require special browsers to re-route web-page requests, or must endure the unpredictable nature of the dark web. All the information they need to profit from credential stuffing is accessible via a standard browser.
Many clear web marketplaces even sell digital fingerprints of real people, containing everything from email account logins to Spotify profiles and PayPal accounts. Criminals then effectively take on the digital identity of the victim, making purchases and replying to their emails—all without detection. Access to a digital fingerprint is usually obtained through an initial credential stuffing attack.
For the lazier cyber-criminal, the sale of fingerprints means they don’t have to bother with stuffing credentials. They just buy pre-hacked accounts.
Credential stuffing isn’t just a problem for individual victims. It’s a big problem for businesses too, who suffer customer mistrust and increased churn as people start to question their cybersecurity. Customers begin to ask “how were my stolen credentials allowed to be used on your site?” and “why didn’t you put a stop to this?”; while the cost of reduced loyalty and diminished brand reputation then starts to affect profit.
The route forward
The only way to protect customers and businesses alike is to match sophisticated threats with sophisticated defenses. Old fashioned approaches to cybersecurity are nothing more than an inconvenience to cyber-criminals today—we can’t just ask people for a complex password and expect them not to reuse it.
Given that it’s bots enabling cyber-criminals to profit from credential stuffing attacks, the best protection comes from differentiating between human and non-human traffic.
While bots are sophisticated and will try to mimic human behavior, there are red flags that can indicate that you aren’t dealing with a real person. Speed is a giveaway—bots are programmed to act faster than any human, but unknown IP addresses or traffic from unexpected countries can also be characteristic of bot behavior.
However, businesses need to go one step further. They must analyze what an average user journey looks like, and then consider what would be unusual. It’s likely that a human would forget their username and password combination a couple of times—but not ten thousand times.
Browsing a few pages is normal, browsing every page to scrape content isn’t.
To win the battle against bots, businesses must deploy technology that rivals the agility of bot traffic. The weapon of choice is clear: machine learning algorithms. Only once businesses can respond to bot traffic as quickly as the bots can work, will they have a chance to stem the tide of automated attacks.