Credential stuffing has become a preferred tactic among digital attackers over the past few years. As reported by Help Net Security, researchers detected 193 billion credential stuffing attacks globally in 2020. Financial services groups suffered 3.4 billion of those attacks. That’s an increase of more than 45% year over year in that sector. In H1 2021, fraudsters focused on digital accounts by breaking into existing user accounts or creating new accounts, per Business Wire. Nearly three in 10 of those attacks consisted of credential stuffing.

How Does Credential Stuffing Work?

According to the Open Web Application Security Project, a credential stuffing attack begins when a malicious actor uses a phishing campaign, password dump or another information leak to steal users’ account credentials. The attacker then uses automated tools to test the credentials across multiple websites. These might belong to social media platforms and online marketplaces. Many of those toolkits are either free or low cost, wrote TechRepublic, and they often come with configurations that attackers can use to target files on certain websites.

“The capability to automate attacks like credential stuffing makes these kinds of attacks have a low bar to entry,” explained Sushila Nair, a VP of security services. “The tools are cheap, and you can allow tools and scripts to ripple through stolen troves of passwords from the dark web to see if you can break in.”

Accessible Tools

In addition, malicious actors will also download public tools to help identify which passwords belong to which sites. As noted by Information Security Buzz, this will help attackers to improve the success rate of their attacks. It will also limit the number of times a botnet can send out an authentication attempt. Therefore, it improves their chances of conducting an attack without raising red flags.

If the login attempt succeeds, the attacker can then leverage the account for a variety of different malicious purposes. They can drain the stolen accounts of their stored funds, for instance. They can also access sensitive information contained therein, send out phishing messages and spam calls or monetize that data on dark web marketplaces.

“Ultimately, the success of password spray attacks and the fact it doesn’t require the use of advanced technology makes it a great starting point for attackers,” noted Nair. “All it takes is one compromised credential or one legacy application to cause a data breach. The Identity Theft Resource Center estimates the average person has around 100 passwords to remember, so it’s no surprise that so many of us are reusing the same passwords across multiple sites, which contributes to the success of this kind of attack.”

In the News

Let’s examine some credential stuffing attacks that made headlines over the course of 2021.

In February 2021, Bitdefender reported that a music streaming platform fell victim to a credential stuffing attack. Attackers used a malicious logger database containing the details of over 100,000 users’ credentials to try to compromise those accounts. Per the security firm’s reporting, someone probably leaked those details elsewhere initially before using them in this attack.

In August, the FBI warned that malicious actors were using a distinct type of credential stuffing attacks. Powered by data leaked from other companies, attackers targeted online accounts at grocery stores, restaurants and food delivery services. The attackers’ hope was that users had reused their passwords across multiple web services, reported The Record. Access to those accounts gave malicious actors access to a lot more. They could drain users’ accounts of their funds, steal their personal information or abuse their financial data for fraud.

More Retailer Credential Stuffing

In October, an all-digital wireless carrier confirmed that someone had seized control of some of their customers’ accounts. The attacker then changed those users’ stored information including their passwords and shipping addresses. They also charged some of those accounts the price of a new iPhone. The wireless provider denied having suffered a data breach, per Threatpost. Instead, it said it suffered something along the lines of a credential stuffing attack. “Threat actors were able to access username/passwords from outside sources and exploit that information” to log into protected accounts.

Around that same time, Help Net Security reported on a credential stuffing campaign started by a fraud ring dubbed Proxy Phantom. It used a cluster of rotating IP addresses and over 1.5 million stolen account details to try to break into user accounts on merchant websites. Those bot-based attacks conducted as many as 2,691 login attempts a second.

How to Defend Against a Credential Stuffing Attack

To defend against credential stuffing attacks, you need to know two things. Where have they come from over the past couple of years, and where they are now?

“As we have been propelled into the cloud, the traditional perimeter of the firewall is disappearing, and identity is the new perimeter,” Nair pointed out. “Essentially, identity is the fence that you must climb over to get into the network where the data is stored. Yubico estimates 81% of hacking-related breaches come from Internet credential theft, and this is not surprising given 85% of folks admitted to reusing passwords on multiple sites. Any security control that relies on humans’ infallibility is doomed. We must strengthen authentication by using multi-factor authentication (MFA) and passwordless authentication to tighten our new perimeter.”

MFA is useful because it can help add steps to the login process, disrupting the flow of an attack. But it’s not the only control that does this. For instance, infosec personnel can require users to solve CAPTCHAs. This will help to prevent login attempts as part of an automated attack such as those that occur in a credential campaign, noted CCSI.

In addition, your team can use user behavioral analytics to review their authorized accounts for suspicious activity. If they detect any, they can notify the user and work with them to resolve the issue. This includes checking employees’ new passwords against those that have already been breached.

More from Identity & Access

From federation to fabric: IAM’s evolution

15 min read - In the modern day, we’ve come to expect that our various applications can share our identity information with one another. Most of our core systems federate seamlessly and bi-directionally. This means that you can quite easily register and log in to a given service with the user account from another service or even invert that process (technically possible, not always advisable). But what is the next step in our evolution towards greater interoperability between our applications, services and systems?Identity and…

X-Force Threat Intelligence Index 2024 reveals stolen credentials as top risk, with AI attacks on the horizon

4 min read - Every year, IBM X-Force analysts assess the data collected across all our security disciplines to create the IBM X-Force Threat Intelligence Index, our annual report that plots changes in the cyber threat landscape to reveal trends and help clients proactively put security measures in place. Among the many noteworthy findings in the 2024 edition of the X-Force report, three major trends stand out that we’re advising security professionals and CISOs to observe: A sharp increase in abuse of valid accounts…

Web injections are back on the rise: 40+ banks affected by new malware campaign

8 min read - Web injections, a favored technique employed by various banking trojans, have been a persistent threat in the realm of cyberattacks. These malicious injections enable cyber criminals to manipulate data exchanges between users and web browsers, potentially compromising sensitive information. In March 2023, security researchers at IBM Security Trusteer uncovered a new malware campaign using JavaScript web injections. This new campaign is widespread and particularly evasive, with historical indicators of compromise (IOCs) suggesting a possible connection to DanaBot — although we…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today