The State of Credential Stuffing Attacks – Security Intelligence

Woman hand holding phone showing security code and enters one time password for the validation process on laptop Mobile OTP secure Verification Method 2 Step authentication web p ProxyEgg The State of Credential Stuffing Attacks - Security Intelligence

The State of Credential Stuffing Attacks

Credential stuffing has become a preferred tactic among digital attackers over the past few years. As reported by Help Net Security, researchers detected 193 billion credential stuffing attacks globally in 2020. Financial services groups suffered 3.4 billion of those attacks. That’s an increase of more than 45% year over year in that sector. In H1 2021, fraudsters focused on digital accounts by breaking into existing user accounts or creating new accounts, per Business Wire. Nearly three in 10 of those attacks consisted of credential stuffing.

How Does Credential Stuffing Work?

According to the Open Web Application Security Project, a credential stuffing attack begins when a malicious actor uses a phishing campaign, password dump or another information leak to steal users’ account credentials. The attacker then uses automated tools to test the credentials across multiple websites. These might belong to social media platforms and online marketplaces. Many of those toolkits are either free or low cost, wrote TechRepublic, and they often come with configurations that attackers can use to target files on certain websites.

“The capability to automate attacks like credential stuffing makes these kinds of attacks have a low bar to entry,” explained Sushila Nair, a VP of security services. “The tools are cheap, and you can allow tools and scripts to ripple through stolen troves of passwords from the dark web to see if you can break in.”

Accessible Tools

In addition, malicious actors will also download public tools to help identify which passwords belong to which sites. As noted by Information Security Buzz, this will help attackers to improve the success rate of their attacks. It will also limit the number of times a botnet can send out an authentication attempt. Therefore, it improves their chances of conducting an attack without raising red flags.

If the login attempt succeeds, the attacker can then leverage the account for a variety of different malicious purposes. They can drain the stolen accounts of their stored funds, for instance. They can also access sensitive information contained therein, send out phishing messages and spam calls or monetize that data on dark web marketplaces.

“Ultimately, the success of password spray attacks and the fact it doesn’t require the use of advanced technology makes it a great starting point for attackers,” noted Nair. “All it takes is one compromised credential or one legacy application to cause a data breach. The Identity Theft Resource Center estimates the average person has around 100 passwords to remember, so it’s no surprise that so many of us are reusing the same passwords across multiple sites, which contributes to the success of this kind of attack.”

In the News

Let’s examine some credential stuffing attacks that made headlines over the course of 2021.

In February 2021, Bitdefender reported that a music streaming platform fell victim to a credential stuffing attack. Attackers used a malicious logger database containing the details of over 100,000 users’ credentials to try to compromise those accounts. Per the security firm’s reporting, someone probably leaked those details elsewhere initially before using them in this attack.

In August, the FBI warned that malicious actors were using a distinct type of credential stuffing attacks. Powered by data leaked from other companies, attackers targeted online accounts at grocery stores, restaurants and food delivery services. The attackers’ hope was that users had reused their passwords across multiple web services, reported The Record. Access to those accounts gave malicious actors access to a lot more. They could drain users’ accounts of their funds, steal their personal information or abuse their financial data for fraud.

More Retailer Credential Stuffing

In October, an all-digital wireless carrier confirmed that someone had seized control of some of their customers’ accounts. The attacker then changed those users’ stored information including their passwords and shipping addresses. They also charged some of those accounts the price of a new iPhone. The wireless provider denied having suffered a data breach, per Threatpost. Instead, it said it suffered something along the lines of a credential stuffing attack. “Threat actors were able to access username/passwords from outside sources and exploit that information” to log into protected accounts.

Around that same time, Help Net Security reported on a credential stuffing campaign started by a fraud ring dubbed Proxy Phantom. It used a cluster of rotating IP addresses and over 1.5 million stolen account details to try to break into user accounts on merchant websites. Those bot-based attacks conducted as many as 2,691 login attempts a second.

How to Defend Against a Credential Stuffing Attack

To defend against credential stuffing attacks, you need to know two things. Where have they come from over the past couple of years, and where they are now?

“As we have been propelled into the cloud, the traditional perimeter of the firewall is disappearing, and identity is the new perimeter,” Nair pointed out. “Essentially, identity is the fence that you must climb over to get into the network where the data is stored. Yubico estimates 81% of hacking-related breaches come from Internet credential theft, and this is not surprising given 85% of folks admitted to reusing passwords on multiple sites. Any security control that relies on humans’ infallibility is doomed. We must strengthen authentication by using multi-factor authentication (MFA) and passwordless authentication to tighten our new perimeter.”

MFA is useful because it can help add steps to the login process, disrupting the flow of an attack. But it’s not the only control that does this. For instance, infosec personnel can require users to solve CAPTCHAs. This will help to prevent login attempts as part of an automated attack such as those that occur in a credential campaign, noted CCSI.

In addition, your team can use user behavioral analytics to review their authorized accounts for suspicious activity. If they detect any, they can notify the user and work with them to resolve the issue. This includes checking employees’ new passwords against those that have already been breached.

David Bisson

Contributing Editor

David Bisson is an infosec news junkie and security journalist. He works as Contributing Editor for Graham Cluley Security News and Associate Editor for Trip…
read more

Source of this news:

Related posts:

'Tortilla' Wraps Exchange Servers inside of ProxyShell Attacks - Threatpost
A new administrator of your personal hard drive will be Threatpost, Inc., 700 Unicorn Park, Woburn, MA 01801. Detailed information on a new processing of personal data come in the privacy polic...
How To Watch Your Favorite Movies On Netflix From Anywhere - Programming Insider
There’s a lot of fantastic stuff on Netflix, but much of it is geo-blocked. The range of shows and movies you can see varies depending on your location. In certain countries, the Netflix library is ...
seven Ways Proxies Will Help You Send more Business on Social Media 1st techzone360. com
Proxies are a fundamental page between your computer and the other internet. While they risk-free secure your privacy associated with identity, a proxy dwelling address also ensures anonymity. St...
Dustin May Has Finally Discovered His Strikeouts - FanGraphs
The quality of Dustin May’s raw stuff is undeniable. He throws his sinker with the highest average velocity of any starter in the majors and it’s ridiculous tailing action makes it one of the most GI...
What Is Hardware Security? Definition, Threats, and Best Practices - Toolbox
Hardware security is defined as the protection of physical devices from threats that would facilitate unauthorized access to enterprise systems. When it comes to day-to-day business operations, secur...
Error Writing Proxy Settings, Access is denied in Windows 11/10 - TheWindowsClub
After you log in to your Windows computer or execute a command in Command Prompt or Windows Terminal, you may receive a message — Error Writing Proxy Settings, Access is denied. This error occurs if ...
What Is iCloud Private Relay and Is It Better than a VPN? - Beebom
When Apple announced iCloud+ at WWDC 2021 developer conference, one key feature that caught the attention of a lot of internet users was “iCloud Private Relay”. But what exactly is iCloud Private Rel...
Trouble using wifi direct - Networking - BleepingComputer
I've been having trouble connecting wifi direct, my phone is able to discover my computer but not vice versa. HP 255 G5 Wireless Huawei HG8245H 5 meters from the router The router has a sim card, I'm...
Learn More About Rotating Residential Proxies That Are Sourced Ethically - 2021 Guide -
Learn More About Rotating Residential Proxies That Are Sourced Ethically - 2021 Guide - DemotiX We use cookies to ensure that we give you the best ex...
How to get My Proxy Server Deal - TechStory - Techstory
A proxy internet protokol provides a valuable boost for internet security and solitude. Most people use a proxy webserver to hide their actual Internet protocol address and safeguard their area. ...
Top 8 Ways to Fix Microsoft Store Freezing on Windows 10 - Guiding Tech
The issue mostly occurs when the user selects Settings or clicks on Downloads and updates to check app updates on the Store.While Microsoft is aware of the issue, Microsoft Store is being re...
Dallas Invents: 149 Patents Granted for Week of March 23 -
Dallas Invents is a weekly look at U.S. patents granted with a connection to the Dallas-Fort Worth-Arlington metro area. Listings include patents granted to local assignees and/or those with a N...
Which one is better for gaming? Residential Proxies or Datacentre Proxies? - FULLSYNC
How frustrating is it that we can’t play a game because we don’t live in a specific zip code, state, or country? Why should that matter when all we want to do is enjoy the game? Or, what if you unkno...
Oxygen-dependent changes in binding partners in addition to the post-translational modifications reg...
Pleasing and suppressing HIFs Cells respond and adapt to hypoxia (low oxygen) in part by activating often the α subunits of the HIF family of transcription factors. Daly et geologi. perfor...
What IT Pros Need to Know About Windows Server 2022 - TechDecisions
Microsoft has announced the general availability of Windows Server 2022, hailing the new version of the operating system as a more secure, hybrid-capable and scalable. The company announced the gener...
Fix Microsoft Store Error 0x80073CFB - TheWindowsClub
Microsoft Store is a great app marketplace for Microsoft products, but it’s not perfect. For example, some users have reported seeing the error 0x80073CFB when they try to download and install an app...
HTTP vs SOCKS Proxies: The Main Differences - Business MattersBusiness Matters
@media screen and (min-width: 1201px) { .tjimr60eb17d9d25c5 { display: none; } } @media screen and (min-width: 993px) and (max-width: 1200px) { .tjimr60eb17d9d25c5 { display: none; } } @media screen...
Vodafone demands Arm silicon, not Intel, for open RAN in cities - Light Reading
Already famous for Celts, cider drinking and sheep, the rural communities of Western Britain have more recently been catapulted to open RAN stardom. Over the next few years, a 2,500-site overhaul by ...

IP Rotating Proxy Onsale


First month free with coupon code FREE30