July 16, 2019
Credential Stuffing: New Tools and Stolen Data Driving Fresh Wave of Attacks
Posted August 14, 2019
Credential stuffing has become a stalwart of the fraudster’s cyber arsenal, with these attacks showing no signs of slowing over the past year. In fact, it may be about to get worse.
Barely a blip on anyone’s radar just a few short years ago, automated credential stuffing attacks have been a boon to cybercriminals seeking to use login credentials, stolen from one business, to log in and hijack customer accounts at another.
According to data captured in our latest Cybercrime Report, there were more than 2.8 billion automated bot attacks in the second half of last year, many of which may have been used in credential stuffing operations aimed at taking over customer accounts. With a success rate of 1% to 3%, credential stuffing contributes to as much as $4 billion in losses from account takeovers (ATOs) per year.
Unfortunately, it’s about to get a whole lot easier to pull off these attacks. Let’s look at why.
Barriers to Entry in Free Fall
Large-scale data breaches continue to drive the price of stolen credentials down, with the price of login credentials for accounts that may have fetched $10, now available for around $1 to $2 on the dark web.
You can also point to massive credential caches, like the recently-discovered “Collection #1,” which contains 773 million email addresses and 21 million passwords. For sale at just $45, it’s a credential stuffer’s dream come true.
Generally speaking, these attacks are predicated on the fact that far too many of us use the same usernames and passwords for numerous accounts. In fact, people tend to use the exact same ones—”123456,” “qwerty,” and “abc123” rank among the top 10 most hacked passwords today.
Once acquired, cybercriminals validate these credentials through small credential testing attacks before launching a major offensive on their ultimate prey.
Cybercriminal Advances are Ingenious
Hackers are rapidly evolving their attack methodologies. Today, more advanced credential-stuffing bots take a “low and slow” approach in an effort to mimic legitimate customer behavior and slip just beneath the velocity radar, making them harder to detect.
In recent weeks, however, reports have surfaced that tech-savvy crime syndicates are also doing something far more unsettling: selling user data—account credentials, cookies, browser user agents and more—belonging to 60,000 web users who’ve been infected by malware and had their account passwords and full browser details recorded.
This includes browser user-agent details, WebGL signatures, HTML5 canvas fingerprints, user profiles and login credentials for banking services, file-sharing, and social media—as well as the cookies associated with those accounts. Starting at just $5 per user, cybercriminal bot attacks leveraging this user data may start to appear nearly indistinguishable from legitimate traffic.
Others have begun using AI-enabled autonomous agents capable of emulating human behavior in order to evade detection. Furthermore, cyberthieves are increasingly leveraging residential IP addresses to give bot traffic the appearance of originating from innocuous, low-risk sources.
The Economics of ‘Stuffing are Irresistible
The payoff can be huge. Last year, as much as $500 million was stolen through compromised peer-to-peer payment accounts alone. CSO further reports that 60% of logins at airlines and 91% of traffic at online retailers could consist of credential stuffing during peak attack times last year.
According to Verizon’s 2019 Data Breach Investigations Report, one especially lucrative attack modality appears to be leveraging stolen credentials to compromise cloud-based webmail accounts. Such attacks now account for 16% of all breaches—up from 3% in just 12 months. Once hackers have infiltrated Gmail, Office 365 or other cloud-mail accounts, they can launch “chain phishing attacks“—pulling off executive impersonation scams, stealing valuable IP, redirecting employee paychecks and more.
According to the SEC, at least nine publicly-traded companies may have recently fallen victim to attacks launched from this kind of attack when hackers hijacked email accounts at suppliers and sent out bogus invoices. One company unwittingly paid out $45 million to these criminals through wire transfers. Another paid $30 million.
The Answer is Identity
The truth is, no independent solution can curb credential stuffing on its own. As credential stuffing attacks increase, companies will find they need to employ a more multi-layered approach to cybersecurity.
Breached credentials, AI-based behavioral emulation, stolen user web data, residential IP hijacking, and other forms of identity deception are no match for solutions that assess hundreds of dynamic identity attributes that cannot be faked or stolen.
So look out for companies that deploy modern, digital identity-based user verification and assessment solutions backed by behavioral biometrics, device recognition, and online and offline identity data. Options that leverage shared, global threat intelligence will also prove especially compelling. In fact, one retailer that has deployed such solutions reports that it can now block 90% of all bot traffic, and has cut bot-based login attempts by 50%—without negatively impacting the user experience.
The Time to Act is Now
While some companies are making significant progress, others have yet to take the first steps toward mitigating the threat posed by credential stuffing. Of course, given the billions in annual losses and new advances in attack techniques, they’ve got plenty of incentive to get started—before things take a turn for the worse.
To learn more about credential stuffing and how a digital identity-based approach to user authentication can help defeat it, download a ThreatMetrix solution brief on blocking bot-based account takeovers.