There’s no denying the pervasiveness of credential stuffing attacks. One security firm detected 193 billion credential stuffing attacks in 2020, as reported by Threatpost. The same company uncovered more than one billion credential stuffing attempts in just a single day during that period.
To understand why credential stuffing is increasing, it’s helpful to define what this type of attack entails. The Open Web Application Security Project (OWASP) explains that credential stuffing involves “the automated injection of stolen username and password pairs… into website login forms, in order to fraudulently gain access to user accounts.” At that point, malicious actors can abuse those accounts to conduct secondary attacks such as account takeover or stealing corporate information.
One of the reasons credential stuffing attacks work is that too many users reuse passwords across multiple websites. It’s not like users don’t understand the risks of this practice. On the contrary, 92% of respondents to a 2021 survey said they knew that using the same password or close variations across multiple web accounts constituted a security risk, per Help Net Security. However, that knowledge didn’t prevent 65% of survey participants from going ahead and reusing their passwords anyway.
These findings help to explain why data breaches involving phishing attacks – another means to acquire passwords to use in a credential stuffing attack – and the use of stolen credentials more broadly are so commonplace. In its Data Breach Investigations Report (DBIR) 2021,
Verizon Enterprise observed phishing grow in frequency from 25% of data breaches in 2020 to 36% just a year later. Phishing thereby maintained its position as one of the top Action varieties in breaches observed by Verizon’s researchers, notoriety which it has enjoyed for several years.
As for the use of stolen credentials, this Action variety appeared in a quarter of data breaches for 2021. That’s consistent with Verizon’s findings for the previous year. Of all the data types analyzed in the report, credentials registered the quickest time to compromise, especially in attacks involving phishing techniques.
Notwithstanding the prevalence of password reuse and stolen credentials, digital attackers can’t make credential stuffing work without some degree of automation. That much is evident in the anatomy of a credential stuffing attempt. According to OWASP, a credential stuffing campaign begins when an attacker acquires usernames and passwords from a data breach, phishing attack, password dump, or other information exposure event. The malicious actor then uses automated tools to test those credentials across several websites such as social media platforms and financial institutions. Along the way, attackers need to configure their automated tools in such a way that their actions don’t trigger security solutions deployed to protect those websites.
One example of how nefarious individuals disguise their
activity comes from Salt Security:
“Attackers… configure the automation tooling to evade detection and lockout thresholds,” the security firm explained. “Steps include mimicking legitimate user agent metadata, avoiding use of multi-threading, and attempting logins only once per minute. Note that automation tooling – when configured properly – looks and behaves much like that of typical and sanctioned business activity.”
In addition to the tactics referenced by Salt Security, some attackers will also try to launch multiple instances of their tools at different locations of the network and from different geographical regions. Doing so will help them to further evade detection.
A successful login attempt grants the attacker access over a user’s account. From there, the malicious actor can choose to drain account funds, make fraudulent purposes, or access the account’s associated sensitive information. Bad actors can also choose to send phishing messages or spam emails from the account. Once they’re done, it’s their option to sell known-valid credentials for the account on the dark web.
Just as automation is at the heart of a credential stuffing attack, it also is key to defending against credential stuffing. Organizations need to apply automated behavior analytics to catch such attacks. These capabilities can help to spot both attempts to gain access to accounts and malicious actors misusing an account after a credential stuffing attack has been successful.
To help mitigate these attacks, organizations can introduce additional steps/factors into the authentication process to interrupt the flow of an automated login attempt. These measures include using multi-factor authentication (MFA) and CAPTCHA. With regards to the former, Infosecurity Magazine recommends turning on and/or requiring MFA wherever they can, using authenticator apps and/or biometric scanners. Such a layered authentication approach can help to safeguard access to authenticated accounts even if a malicious actor compromises their associated credentials.
There’s similar guidance when it comes to CAPTCHAs. CCSI highlights the importance of requiring users to solve a CAPTCHA for each login attempt. In doing so, organizations will provide additional protection of their accounts against automated login attempts such as those made over the course of a credential stuffing attack. They might alternatively require users to solve a CAPTCHA whenever a login attempt is deemed suspicious, thereby helping to foster a balance between security and convenience.
Since password reuse, phishing attacks, and other elements that foster credential stuffing are likely to be with us forever, organizations will need to raise the bar to defend against them. They should apply behavioral analytics to detect attacks on applications and APIs and use MFA and other techniques to thwart these attacks as well.