Credential stuffing has been around for years. But the signs are that 2019 might well be a stand out year, as the black hats start to monetise the huge volumes of breached identity data flooding the dark web. While historically many firms’ response has been to blame customers for poor log-in security, this approach is not going to wash going forward. To protect the brand and bottom line, they need to be more proactive.
I spoke to some experts for an upcoming Infosecurity Magazine feature to better assess the scale of the challenge, and what can be done to tackle it.
At its heart, credential stuffing is a pretty straightforward attack. Take large volumes of username/password data from dark web troves, many of which are now arranged in easy-to-use “combo lists”, and feed them into bot-powered automated programmes designed to try and unlock other accounts. Because users share passwords across multiple sites, the hackers will usually succeed: which is bad for consumers and possibly enterprises, if those accounts are corporate ones.
“I’ve seen password reuse on corporate accounts many times and it’s a standard operation to check our password leak database during the reconnaissance phase in every red team engagement,” SANS Institute certified instructor, Matthias Fuchs, explained to me. “Still, many organisations allow outside access to some corporate services like webmail. If they don’t use MFA there, the accounts are at equal risk as on private platforms. After all it’s just another website to try the creds on.”
Experts were agreed that credential stuffing will only grow as we head through the year.
“The sheer volume of credential stuffing attacks since the start of 2019 is alarming. The success of recent attacks against consumer services — TurboTax and Dunkin’ Donuts, to name a couple — is just continuing proof that protecting data instead of protecting identities and people is a failing security model,” Ping Identity CCIO, Richard Bird, told me.
“Unfortunately, organisations are not taking even the most basic steps necessary to thwart these types of attacks, so it’s likely that they will continue to proliferate. Companies must come to the table with better security solutions for their customers. Leveraging available technologies like MFA, device fingerprinting and artificial intelligence to detect anomalous behaviours are just a few steps that can be taken to protect customers and their data.”
Shape Security director of engineering, Jarrod Overson, claimed that credential stuffing would increase “at the rate that bandwidth and hardware allows.”
“Credential stuffing, like all attacks, involves a cost/value justification for the attacker and, right now, it costs virtually nothing to execute an attack that can take over thousands to millions of accounts,” he told me. “Without automated defences in place then an attacker’s best interest is to execute an attack as rapidly as possible to get results before the company recognises and puts in countermeasures. Even with protections in place, Shape recorded its biggest attack ever in January with nearly three billion attacks against one customer in one week against one user flow (the login).”
The bad news is that the black hats continue to evolve their tactics.
“Attackers are getting more creative in how they use personal information to either reset accounts, gain trust or establish online access to accounts. I think one big issue is that attackers are getting smarter in how they use the information and how they monetise stolen information,” SANS dean of research, Johannes Ullrich, told me.
“In the past, there used to be some obvious ways to monetise stolen information, like credit card theft. But the value of this information has been steadily decreasing because first of all, there is already more information out there then can be used, and entities like banks are getting better at blocking access. But attackers are slowly discovering the social component of this. They are now better able to identify trust relationships and to use leaked data to authenticate and take advantage of these trust relationships.”
Overson and his team are seeing the same patterns as cyber-criminals look to ape human behaviour in new ways.
“These advanced attacks involve the exploitation of mobile applications, browser extensions, or third-party scripts to drive the behaviour of an application even after a user has logged in,” he said. “We’re calling the trend towards attacks that simulate human behaviour ‘Imitation Attacks’ — this is an umbrella term that encompasses all illegitimate transactions made seemingly on behalf of a real user. This includes advanced phishing attacks, credential stuffing, password spraying, and other attacks that exploit the inherent functionality of an application.”
The big question for CISOs is how to stop it. Credential stuffing could lead to compromise of enterprise accounts, enabling multi-staged info-stealing raids or BEC attacks. It could also have a devastating knock-on effect on customer confidence and brand loyalty if consumer accounts are hijacked en masse.
For Overson, the answer is rapid response, but countermeasures which should also be removed when the attack subsides. He also recommends a “variable” response, which will make it harder for hackers to predict what defensive tactics the white hats are going to use next.
“There is no silver bullet against automated attackers, because the actors behind the attacks are human adversaries who will always attempt to retool around defences. The paths attackers are taking are the same paths that our users are taking and too much security-related friction in critical user experience flows leads to loss of revenue and business,” he warned.
“Mitigation requires fast-moving collaboration across teams along with security vendors to roll out targeted countermeasures for specific attackers while leaving average users unaffected. As attackers start to retool with more artificial intelligence and machine learning then rapid, limited, variable feedback becomes even more important.”