It’s So Hard To Tell, But We’re All Getting Credential Stuffed

Credential stuffing: Depending on which industry you work in and how seriously your business takes threats, you’re either shrugging it off or it’s throbbing like a sore thumb.

If it isn’t throbbing, it should be. Here’s why. 

READ “20 Tales of Online Fraud and How to Fight It”

What’s credential stuffing?

There’s innocuous bot traffic—search engines, for example—and then there’s bad bot interaction, when fraudsters get their hands on massive lists of compromised user name/password combinations and see what goodies they’ll unlock: bank accounts? Gift card accounts with cash and credit cards attached? 

All of that is possible thanks to ubiquitous password reuse. And getting credentials is far from hard: more than 3 billion credentials were reportedly stolen in 2016, and that number nearly doubled between 2016 and 2020. 

Rampant credential reuse means that attackers have something like a 2% login success rate, according to Google’s former click fraud czar Shuman Ghosemajumder. In other words, every 1 million stolen credentials can lead to 20,000 account takeovers.

The behavior has recently spiked. In a September 2020 private industry notification, the FBI warned that these automated attacks account for the greatest volume of attacks against the financial industry, at 41 percent of total incidents from 2017 through 2019. Security experts tell us that the spike has grown worse still over the past two years.

Got feedback? Join the conversation on LinkedIn.

Thanks to our article sponsor, F5

Why should you care?

As the FBI noted, these attacks can lead to downtime, loss of customers, and reputational damage. On average, they cost affected businesses $6 million per year—and that’s not counting the costs lost to the fraud that can result. 

Case in point: the 2016 credential stuffing of a private GitHub repository used by Uber developers. The intruders used employees’ credentials obtained in previous breaches and took over some accounts that weren’t protected by multi-factor authentication (MFA). They found credentials for Uber’s AWS datastore in the repository files, which they then used to drain the records of 32 million non-US users and 3.7 million non-US drivers, along with data in 100 S3 buckets. The attackers extorted Uber for $100,000 to destroy the data, which Uber paid. Uber subsequently got fined for covering up the breach. 

Why now?

DC Cullinane, vp of cloud-based bot mitigation service provider Kasada, says that these days, bad actors have all the assets they need to do these types of things. “[Credential pairs] were originally for sale. Then, several years ago, they were made available for free. They’d been on the market so long, several sets that had been confirmed and shown to work were made available.”

He compares this perfect storm of credential stuffing to a shooting. The credential pairs are the bullets. To find out which ones are live or duds, bad actors need a gun: in other words, a tool to automate the logins for vast caches of credentials. Nowadays, they have many guns to choose from, including standard web automation tools such as Selenium, cURL, or PhantomJS. There are also tools designed specifically for credential stuffing attacks, such as Sentry MBA or SNIPR.

Given these freely available weapons, “What do you think people will do?” Cullinane asked. “They’ll test them. They’re interested. If there are a billion credential pairs available, I’ll point at a bank website to see which work.”

Christopher Patteson, executive director of Archer Integrated Risk Management’s Risk Transformation Office, says there’s another, important factor behind the “Why now?” question: namely, more people are looking for this automated activity. But unless you’re closely analyzing web traffic, it isn’t particularly distinguishable. “For a lot of customers, if they’re not analyzing web sites and looking at traffic very closely, it can get mixed in with day-to-day stuff,” he said.

Who you calling leaky?

Credential stuffing attacks don’t rely on poor coding, architecture or design, says Dan Woods, vp of F5’s Shape Intelligence Center. Web application firewalls (WAFs) don’t stop these attacks because, essentially, the attackers are just abusing the intended functionality of logins.

“[These apps] are vulnerable because they often have a critical business requirement to enable customers to create accounts, store something of value, or perhaps reset logins,” he said. “It’s operating by design. It’s not broken. Fraudsters are taking advantage of that and abusing it. They’re not throwing an exploit at it in the traditional sense.”

It’s a classic Whack-A-Mole problem: The attackers keep innovating. WAFs were designed to inspect traffic velocity and IP addresses, but that doesn’t work these days, Cullinane says. “Fraudsters, they come in so low and slow, these WAFs don’t work. All the fraudsters said, ‘Oh, all you have to do is do 5-10 [login attempts] every millisecond, and the WAF lets you through.’” Blocking misbehaving IP addresses doesn’t work either, he said, given that bad actors will simply change the IP address every few attempts.

What DOES block credential stuffing?

OWASP offers this valuable prevention cheat sheet to thwart credential stuffing.

MFA is a good starting point. It’s not invincible, but it provides a stumbling block for automated credential stuffing attacks. Another strong deterrent is for users to use unique passwords with high entropy. 

There are also sophisticated tools that block traffic based on attributes that are tough for an attacker to change, says F5’s Woods. Such tools collect signals from an attacker’s activity and environment. For example, have your filters ask, “Is the user/attacker executing 25 keystrokes in 35 milliseconds?”

Another signal for businesses to monitor: “Is this so-called person clicking multiple points on a screen without moving the mouse?” Woods said. “Those are telltale signs of interaction with a bot, or typing and moving a mouse simultaneously.”

Humans don’t do that. 

But without the visibility into web traffic that lets you spot that weirdness, your security thumbs aren’t properly throbbing, and the credential stuffers are very likely taking over.