[BreachExchange] The Evolving Threat of Credential Stuffing

Destry Winant destry at riskbasedsecurity.com
Tue Apr 28 10:20:14 EDT 2020


Bots' swerve to focus on APIs means businesses must take the threat
seriously and take effective action.

Imagine installing a fancy deadbolt lock with a state-of-the-art alarm
system for your front door but leaving the back door wide open. No one
would do that, right? Yet many companies make a similar mistake with
their cybersecurity defenses. They put Fort Knox-like security on the
front end of their apps and websites while leaving their back-end
critical APIs exposed to the world.

Gartner predicts that by 2022, API abuses will become the most common
attack vector resulting in data breaches. "Despite growing awareness
of API security, breaches continue to occur," the analyst firm says.
When one adds up the total number of breached records over the past
few years, more than 50% are exfiltrated via applications and APIs.

It used to be that hackers' preferred method to gain access to online
accounts was through user-facing login pages in an account takeover
method called credential stuffing. Credential stuffing takes advantage
of a common weak point: the tendency of many users to reuse passwords.
This makes it easier for an attacker to leverage a list of usernames
and passwords stolen from one account and, in a damaging ripple
effect, run them against many services.

Cybercriminals execute these brute-force attacks with a huge assist
from cheap yet powerful automation tools — specifically bots that
hammer sites with various combinations of usernames and passwords over
and over until they hit on the right combination and get in.

Like any good drama, a typical credential-stuffing attack plays out in
three acts:

The attacker steals credentials from a site or in some cases acquires
spilled credentials from a site breach on the Dark Web. It's not
uncommon for millions of records to be taken in a single breach.

The attacker uses a botnet to check masses of credentials against
multiple accounts and overcome simple detection and mitigation
mechanisms by spreading the attack between hundreds or thousands of
devices. Entire cybercrime communities have emerged to recommend
tactics and sell automated client configuration files dedicated to
particular targets.

Upon a successful login, the attacker can take over the accounts and
steal personal information such as credit card numbers or reward
points. The attacker might also use the account for other malicious
purposes, such as sending spam from an email account.

Credential stuffing victims in the last couple of years include
Spanish soccer team FC Barcelona, whose Twitter account was hacked and
then sent bogus tweets, and Dunkin' Donuts, which warned customers in
its DD Perks program that an unauthorized source gained access to some
account holders' usernames and passwords.

As more companies get better at locking down their front-end
applications and web pages to safeguard against credential stuffing,
bad actors have increasingly spotted an opportunity in the back-end
APIs and microservices that have tended to be poorly defended. We
already see more than half of breaches occurring this way, and the
balance will continue to shift more in that direction.

Getting in through an API is appealing to attackers because there are
fewer hoops to navigate: Many companies simply are unaware of the huge
amount of data they're transmitting via APIs and don’t do a good
enough job protecting them.

Add to that the fact that bots comprise an enormous amount of Internet
traffic. Forty percent of the 25 petabytes our company processes every
month is from bots, and half of that it is for malicious purposes like
credential stuffing. Thanks to the public cloud and more sophisticated
tools, it has become easier and cheaper for hackers to create and
launch ever-more-powerful bots.

Attacks on APIs are a significant threat at a time when they've become
the backbone of the software applications that run the digital world.
One example is open banking, which is designed to make consumers'
lives easier by giving third-party financial services providers
electronic access to data from banks and other financial institutions
through the use of APIs, with the outside partners then developing new
apps and services on top.

So, what can be done?

First, companies simply need to place as high a priority on securing
their back-end APIs and services as they have on other parts of their
infrastructure. APIs are applications too and a SQL injection is still
a SQL injection, regardless if it can be performed through the front
end or back end.

Second, major players such as Apple and Google, which have dominant
mobile platforms, could bake password management and two-factor
authentication (2FA) directly in their respective platforms. These
companies have infinite resources to help consumers, and they should.
The net result would be a general population with stronger passwords
and identity management.

Wider use of encryption along with the rise of cloud services has
prompted SOC personnel to consider threat hunting to get ahead of the
security curve, according to Brian Dye, chief products office for
Corelight. He offers tips for organizations looking to create or
refine a threat hunting program, as well as important metrics to

To protect against old-school, front-end credential stuffing, users
need to remember to use different passwords for different apps and
sites. In the absence of platform-native options, we suggest that
individuals use password managers and 2FA solutions. For more serious
applications and services, we recommend hardware keys.

Credential stuffing has long been one of the most common types of
cyberattacks, but the threat is evolving. Companies need to take the
threat seriously and take effective action.

More information about the BreachExchange mailing list