Credential stuffing - are you doing enough?

Credential stuffing attacks are nothing new and are in fact one of the simplest attacks for hackers to launch. The following is based on an excerpt from an article for Infosecurity Magazine, where Stuart Jubb, Managing Director of Consulting at Crossword Cybersecurity, outlines what credential stuffing is and discusses what companies need to be doing to protect themselves.


Credential stuffing is the name given to the type of cyberattack in which stolen account credentials - lists of usernames or email addresses and the corresponding passwords - are used to gain unauthorised access to user accounts through large-scale automated login requests. For 'script kiddies' it can be one of the first things that they try for the thrill of seeing that they can gain access to systems. For the more experienced, the potential for credential stuffing attack is much greater - it can provide them with more information on an individual user linked to their finances, home life etc, all of which can be used for fraud, make purchases or spend credit, in the account accessed, or to build a curated file on an individual that can be sold on the dark web for others to exploit.


The problem is that it doesn’t stop there. The success of a credential stuffing attack is not always is not always measured by the hacker in the above terms. By finding a username/password combination that works, hackers will then test that combination across the world’s most popular consumer sites and services, to see whether the same credentials have been used elsewhere – and we all know how often the same password is used. The pot of gold is gaining access to a personal email account, where the hacker can lurk, read, learn and exploit.


Remember, credentials stuffing attacks are not always about gaining access. They are automated attacks where thousands of credentials might be thrown at a website and tested from multiple servers. This leads to poor performance on the website and can even take them offline, in a type of denial of service attack. Where this is the goal, no black market credentials are needed at all.


Companies that become the victim of credentials stuffing attacks can equally suffer financial and reputational damage, as well as losing the confidence of customer and investors.


Mitigation doesn’t have to mean complication


The hacker toolset is pretty impressive and for companies there is a whole host of security solutions available that will help make it harder for hackers to get what they want out of an attack, whether that is disruption, or validated credentials.


Here are some basics that you should also consider to ensure that your systems are doing all they can to mitigate the risks:


  • You might think you know your website traffic, but do you understand your logon traffic? These are not the same thing, so learn about the patterns in your business


  • Don’t make the mistake of thinking that employing a tool such as Captcha is ‘job done’. You can still attempt to login multiple times on different usernames, and that is exactly what is happening during a CS attempt.


  • Do not assume penetration testing is the answer – check how this is being addressed by your provider. It can identify some issues, but credentials stuffing as an attack falls between the cracks. It does not fit neatly into app, network or perimeter security.


  • Monitor your failed to successful login ratio in real-time from all login requests. It might be that a 2%-3% fail rate is normal for your business. So, what are you doing when it falls outside that range, and could it constitute a credentials stuffing attack?


  • Look at employing time-series analysis to identify sudden peaks in attempted login attempts. There may be seasonal elements to this, for example the start of well promoted sale of concert tickets, or retail event, but you can plan for this, and combined with the successful login analysis it can identify a sudden attack.


  • Advanced attacks can originate from cloud infrastructure. The ranges of these providers are available online and can be used to help mitigate attacks.


The attacks and tools that hackers use are getting more sophisticated all the time. We need to get on top of credential stuffing as an industry. Whilst we’ve only scratched the surface of what is possible, the point is that there is a lot we can do to lower the risks of an attack happening, and identifying it quickly when it does.


Find out how the Crossword Cybersecurity consulting team can support companies with their cyber security strategy.


You can read the full article in Infosecurity Magazine here.