In a few surveys, it was estimated that nearing 81% of users reuse the same login and 25% use the same password across multiple accounts. Given that there are many cybercriminals that are successfully breaching various systems, all they have to have is stolen credentials that consist of usernames, emails and the corresponding passwords. Credential stuffing is a cyberattack that makes use of this information by automating logins to anywhere from thousands to millions of websites. This is particularly useful for the criminals when it comes to e-commerce and credit card logins.
Credential stuffing was coined by Sumit Agarwal, co-founder of Shape Security, during his tenure as the Pentagon’s Deputy Assistant Secretary of Defense. There are specifically designed attack tools that make use of botnet delivery so that it probes a target website. The botnet makes a single credential attempt, one at a time, and in doing that it appears like an end user trying to login but failing. The botnet only tries a few times, emulating a user, and then moves to the next attempt.
Credential stuffing has been very successful. In a Sharp report they stated “In one week, cybercriminals made over five million login attempts at a Fortune 100 B2C website using multiple attack groups and hundreds of thousands of proxies located throughout the world.” On another occasion, “During one day, a large retailer witnessed over 10,000 login attempts using over 1,000 proxies.”
The return on credential stuffing can be quite lucrative. Given that it’s a completely automated situation, it can offer between 0.1% and 2% return. In plain math this equates to access to around 10,000 accounts for every one million credentials that are stolen; and it’s all due to the fact that users make use of the same logins and passwords for so many of their accounts.
Another aspect of the success of credential stuffing is that much of the information on the credentials are widely open on the dark net, freely given by cyberhackers. Some of the sources of the free credentials include Cracking-dot-org, Crackingking-dot-org and Crackingseal-dot-io.
Actions to Thwart Credential Stuffing
One of the more successful methods to defeat credential stuffing has been in the use of CAPTCHA, built-in optical character recognition software. However, this software is not always useful when it comes to websites such as ecommerce. In a society that has become increasingly less patient, users will give up and go to another website if they have any difficulties with CAPTCHA input.
- Password management: Be aware of making sure that users improve their password habits. Using different logins and passwords is the easiest defense against credential stuffing.
- For companies, make use of multifactor authentication methods. An additional layer of security assists in providing safety against phishing attacks.
- There are a number of both enterprise-grade and free anomaly detection tools available. These tools help to identify risk signals including suspicious behavior with multiple login attempts for one or more users. They can also detect unusual behavior from specific IP addresses which can be an alert for credential stuffing attacks.
- Password managers are another method to deploy that can help users to create strong and unique passwords. Many of these programs are free of charge and show as a prompt to the user when creating a password as to a recommendation of weakness or strength.
“It only takes one successful credential stuffing attempt for a cybercriminal to take over an individual’s account and then expand to other potential accounts. DaVinci Forensics specializes in communication of the various methods of cyberhacking that criminals make use of and offer up to date data and information on methods to use to keep individuals and companies safe.”