[BreachExchange] Credential stuffing explained: How to prevent, detect and defend against it

Destry Winant destry at riskbasedsecurity.com
Thu Oct 31 10:05:14 EDT 2019


https://www.csoonline.com/article/3448558/credential-stuffing-explained-how-to-prevent-detect-and-defend-against-it.html#tk.rss_news

Credential stuffing definition

Credential stuffing is the automated use of collected usernames and
passwords to gain fraudulent access to user accounts. Billions of
login credentials have landed in the hands of hackers over the past
several years as a result of data breaches. These credentials fuel the
underground economy and are used for everything from spam to phishing
and account takeovers. Credential stuffing attacks are one of the most
common ways cybercriminals abuse stolen usernames and passwords.

This is a brute-force attack technique, but instead of trying to guess
passwords using “dictionaries” of common word combinations, attackers
use lists of known valid credentials obtained from data breaches. The
result is attacks that are much easier to execute and have a higher
success rate because a large number of people continue to reuse their
passwords across different websites, so credentials stolen from a
low-profile website have a high chance of working on services that
hold more sensitive data.

How big is the credential stuffing problem?

HaveIBeenPwned.com (HIBP), a free data breach notification service run
by security researcher Troy Hunt, tracks over 8.5 billion compromised
credentials from over 410 data beaches. The service only includes
credentials from data sets that are public or have been widely
distributed on underground forums, but many database dumps have
remained private and are only available to small groups of hackers.


An entire underground economy based on selling stolen credentials and
specialized tools supports automated credential stuffing attacks.
These tools use so-called “combo lists” that have been put together
from different data sets after the hashed passwords found in leaked
databases have been cracked. This means that launching such attacks
does not require any special skills or knowledge and can be done by
virtually anyone who has a few hundred dollars to buy the tools and
data.

Over a 17-month period, from November 2017 through the end of March
2019, security and content delivery company Akamai detected 55 billion
credential stuffing attacks across dozens of verticals. While some
industries were more heavily targeted than others -- for example
gaming, retail and media streaming -- no industry was immune.

“For now, attackers see credential abuse as a low-risk venture with
potential for a high payout, and these types of attacks are likely to
increase for the foreseeable future,” the company said in a report
released in June.

How to detect and mitigate credential stuffing attacks

Credential stuffing attacks are launched through botnets and automated
tools that support the use of proxies that distribute the rogue
requests across different IP addresses. Furthermore, attackers often
configure their tools to mimic legitimate user agents -- the headers
that identify the browsers and operating systems web request are made
from.

All this makes it very hard for defenders to differentiate between
attacks and legitimate login attempts, especially on high-traffic
websites where a sudden influx of login requests doesn’t stand out as
unusual. That said, an increase in the login failure rate over a short
period of time can be a telltale sign that a credential stuffing
attack is in progress.

While some commercial web application firewalls and services use more
advanced behavioral techniques to detect suspicious login attempts,
website owners can take measures to prevent such attacks.

One effective mitigation is to implement and encourage the use of
multi-factor authentication (MFA). Even though some automated phishing
and account takeover tools can bypass MFA, those attacks require more
resources and are harder to pull off en-masse than credential
stuffing.

Since MFA has a usability cost, many organizations provide it as an
option that users have to turn on rather than actually enforcing it.
If making MFA mandatory for all user accounts is considered too
disruptive for business, a compromise is to automatically enable it
for users who are determined to be at greater risk, for example after
an unusually large number of failed login attempts on their accounts.

Large companies have also started to be proactive by monitoring public
data dumps and checking to see if the impacted email addresses also
exist in their systems. For those accounts that are found on their
services, even though they were compromised elsewhere, they force
password resets and strongly suggest enabling MFA.

Companies that want to monitor if accounts set up by their employees
with their work emails were impacted by external breaches can use
services like HIBP to set up alerts for their entire domain names.
HIBP’s public API has even been used to develop scripts in various
programming languages that can be integrated into websites or mobile
apps.

Finally, password hygiene should be part of any company’s security
awareness training for employees. Password reuse is what enables
credential stuffing attacks so this practice should be strongly
discouraged, both at work and at home.

Users can use password managers to generate unique and complex
passwords for every online account without having to remember them.
Some of these applications even notify users automatically if their
email addresses are detected in public data dumps.

“Credential stuffing isn’t going anywhere,” Akamai concluded in its
State of the Internet report. “Since it can’t be stopped outright, the
goal should be making the process of obtaining credentials as
difficult as possible. Weak passwords and password reuse are the bane
of account security; it doesn’t matter if we’re talking about gaming,
retail, media and entertainment, or any other industry. If a password
is weak or reused across multiple accounts, it will eventually be
compromised. Awareness around these facts needs to increase, as does
the promotion of password managers and multi-factor authentication.”


More information about the BreachExchange mailing list