Credential stuffing has become a preferred tactic among digital attackers over the past few years. As reported by Help Net Security, researchers detected 193 billion credential stuffing attacks globally in 2020. Financial services groups suffered 3.4 billion of those attacks. That’s an increase of more than 45% year over year in that sector. In H1 2021, fraudsters focused on digital accounts by breaking into existing user accounts or creating new accounts, per Business Wire. Nearly three in 10 of those attacks consisted of credential stuffing.

How Does Credential Stuffing Work?

According to the Open Web Application Security Project, a credential stuffing attack begins when a malicious actor uses a phishing campaign, password dump or another information leak to steal users’ account credentials. The attacker then uses automated tools to test the credentials across multiple websites. These might belong to social media platforms and online marketplaces. Many of those toolkits are either free or low cost, wrote TechRepublic, and they often come with configurations that attackers can use to target files on certain websites.

“The capability to automate attacks like credential stuffing makes these kinds of attacks have a low bar to entry,” explained Sushila Nair, a VP of security services. “The tools are cheap, and you can allow tools and scripts to ripple through stolen troves of passwords from the dark web to see if you can break in.”

Accessible Tools

In addition, malicious actors will also download public tools to help identify which passwords belong to which sites. As noted by Information Security Buzz, this will help attackers to improve the success rate of their attacks. It will also limit the number of times a botnet can send out an authentication attempt. Therefore, it improves their chances of conducting an attack without raising red flags.

If the login attempt succeeds, the attacker can then leverage the account for a variety of different malicious purposes. They can drain the stolen accounts of their stored funds, for instance. They can also access sensitive information contained therein, send out phishing messages and spam calls or monetize that data on dark web marketplaces.

“Ultimately, the success of password spray attacks and the fact it doesn’t require the use of advanced technology makes it a great starting point for attackers,” noted Nair. “All it takes is one compromised credential or one legacy application to cause a data breach. The Identity Theft Resource Center estimates the average person has around 100 passwords to remember, so it’s no surprise that so many of us are reusing the same passwords across multiple sites, which contributes to the success of this kind of attack.”

In the News

Let’s examine some credential stuffing attacks that made headlines over the course of 2021.

In February 2021, Bitdefender reported that a music streaming platform fell victim to a credential stuffing attack. Attackers used a malicious logger database containing the details of over 100,000 users’ credentials to try to compromise those accounts. Per the security firm’s reporting, someone probably leaked those details elsewhere initially before using them in this attack.

In August, the FBI warned that malicious actors were using a distinct type of credential stuffing attacks. Powered by data leaked from other companies, attackers targeted online accounts at grocery stores, restaurants and food delivery services. The attackers’ hope was that users had reused their passwords across multiple web services, reported The Record. Access to those accounts gave malicious actors access to a lot more. They could drain users’ accounts of their funds, steal their personal information or abuse their financial data for fraud.

More Retailer Credential Stuffing

In October, an all-digital wireless carrier confirmed that someone had seized control of some of their customers’ accounts. The attacker then changed those users’ stored information including their passwords and shipping addresses. They also charged some of those accounts the price of a new iPhone. The wireless provider denied having suffered a data breach, per Threatpost. Instead, it said it suffered something along the lines of a credential stuffing attack. “Threat actors were able to access username/passwords from outside sources and exploit that information” to log into protected accounts.

Around that same time, Help Net Security reported on a credential stuffing campaign started by a fraud ring dubbed Proxy Phantom. It used a cluster of rotating IP addresses and over 1.5 million stolen account details to try to break into user accounts on merchant websites. Those bot-based attacks conducted as many as 2,691 login attempts a second.

How to Defend Against a Credential Stuffing Attack

To defend against credential stuffing attacks, you need to know two things. Where have they come from over the past couple of years, and where they are now?

“As we have been propelled into the cloud, the traditional perimeter of the firewall is disappearing, and identity is the new perimeter,” Nair pointed out. “Essentially, identity is the fence that you must climb over to get into the network where the data is stored. Yubico estimates 81% of hacking-related breaches come from Internet credential theft, and this is not surprising given 85% of folks admitted to reusing passwords on multiple sites. Any security control that relies on humans’ infallibility is doomed. We must strengthen authentication by using multi-factor authentication (MFA) and passwordless authentication to tighten our new perimeter.”

MFA is useful because it can help add steps to the login process, disrupting the flow of an attack. But it’s not the only control that does this. For instance, infosec personnel can require users to solve CAPTCHAs. This will help to prevent login attempts as part of an automated attack such as those that occur in a credential campaign, noted CCSI.

In addition, your team can use user behavioral analytics to review their authorized accounts for suspicious activity. If they detect any, they can notify the user and work with them to resolve the issue. This includes checking employees’ new passwords against those that have already been breached.

More from Identity & Access

“Authorized” to break in: Adversaries use valid credentials to compromise cloud environments

4 min read - Overprivileged plaintext credentials left on display in 33% of X-Force adversary simulations Adversaries are constantly seeking to improve their productivity margins, but new data from IBM X-Force suggests they aren’t exclusively leaning on sophistication to do so. Simple yet reliable tactics that offer ease of use and often direct access to privileged environments are still heavily relied upon. Today X-Force released the 2023 Cloud Threat Landscape Report, detailing common trends and top threats observed against cloud environments over the past…

Artificial intelligence threats in identity management

4 min read - The 2023 Identity Security Threat Landscape Report from CyberArk identified some valuable insights. 2,300 security professionals surveyed responded with some sobering figures: 68% are concerned about insider threats from employee layoffs and churn 99% expect some type of identity compromise driven by financial cutbacks, geopolitical factors, cloud applications and hybrid work environments 74% are concerned about confidential data loss through employees, ex-employees and third-party vendors. Additionally, many feel digital identity proliferation is on the rise and the attack surface is…

X-Force certified containment: Responding to AD CS attacks

6 min read - This post was made possible through the contributions of Joseph Spero and Thanassis Diogos. In June 2023, IBM Security X-Force responded to an incident where a client had received alerts from their security tooling regarding potential malicious activity originating from a system within their network targeting a domain controller. X-Force analysis revealed that an attacker gained access to the client network through a VPN connection using a third-party IT management account. The IT management account had multi-factor authentication (MFA) disabled…

CISA, NSA issue new IAM best practice guidelines

4 min read - The Cybersecurity and Infrastructure Security Agency (CISA) and the National Security Agency (NSA) recently released a new 31-page document outlining best practices for identity and access management (IAM) administrators. As the industry increasingly moves towards cloud and hybrid computing environments, managing the complexities of digital identities can be challenging. Nonetheless, the importance of IAM cannot be overstated in today's world, where data security is more critical than ever. Meanwhile, IAM itself can be a source of vulnerability if not implemented…