Cyber Security

Credential Stuffing Attack: An Emerging Cyber Crime

“Cybercrime is the greatest threat to every company in the world.” — Ginni Rommety

Credential Stuffing Attack

Do you know why most cyber security experts tell you not to use the same password for multiple accounts? Well, there are two good reasons for that:

  1. Cyber criminals can access several accounts of yours if they can get hold of one.
  2. Credential stuffing attack.

A credential stuffing attack is one of those threats on the internet that poses a critical threat for every organization worldwide. As a fact, several organizations have already been affected because of this particular attack. However, as bad as it sounds, there are many ways to avoid becoming a victim of a credential stuffing attack. But before we dive into the preventive measures, I’ll help you understand what this attack is and how to avoid it.

The Credential Stuffing Attack

There is no shortage of cyber threats on the internet today and credential stuffing is one of those cyber threats. In this attack, cyber criminals use compromised credentials found on the darknet, most of which are from corporate data breaches. These login credentials are automatically fed into login accounts on different websites.

Cyber criminals use specialized automated credential stuffing tools and botnets such as SentryMBA, Vertex, STORM, etc to launch this attack. Such tools help them in stuffing thousands of compromised usernames and passwords into the login page of several websites.

How Does it Work?

How credential stuffing attack works
How credential stuffing attack works

The main reason why this attack works great for cyber criminals is simple; there are still millions of people who use only one password and username for several accounts.

To give you an example of how this attack works, let’s say there is a guy named William Muller. So consider William is using a username ‘Will.I.Am’ for his banking login, and other social media accounts. Moreover, he uses the same password “LetmelogintoThis@accountfor1s” on all of his accounts.

The password seems like a strong password with uppercase and lowercase letters combined with numbers and symbols. However, imagine one of his accounts gets stolen or compromised and it gets on the hands of cyber criminals.

Of course, the cyber criminals would not know on which bank William Muller has created an account. Nevertheless, if the cyber criminals are persistent enough, they can eventually try several banks and might find out the right bank.

That is when the hackers would log into William’s account and then drain it. Above that, they now have his credentials for different accounts as well, which can later be used for identity theft. This can often lead to a much worst-case scenario.

Examples of Credential Stuffing Attacks

If you are wondering how this simple method can work and affect businesses then there are several firms who have been victims of this particular attack. In a recent incident, RIPE NCC has confirmed to suffer a credential stuffing attack affecting its single-sign-on (SSO) platform. RIPE NCC is the regional Internet registry for Europe, the Middle East, and Central Asia.

(Source: Twitter) A tweet from researcher Bob Diachenko

Additionally, giant companies like Spotify are also one of the companies that had suffered credential stuffing attacks recently. Researcher Bob Diachenko tweeted that nearly 100,000 account details were leaked online and being misused as a part of a credential stuffing attack.

These two organizations are not the only ones that suffered a credential stuffing attack. Big names like Dunkin Donuts (who also witnessed the attack twice in three months), North Face, a South African restaurant chain Nando’s are also on the list. A giant football club FC Barcelona’s official Twitter account was also compromised after they become a target of a credential stuffing attack.

Why is it Hard to Detect Credential Stuffing?

You must have figured out that a credential stuffing attack is hard to detect. The reason is that cyber criminals use sophisticated tools to hide their activities. For example, a cyber criminal can mimic the geolocation of users to make it legitimate while attempting to log in.

If a bank has customers from a certain region in the Middle East, then the attackers make it look like the login attempts are coming from that particular place. In short, cyber criminals takes every step to make it legitimate so it all looks normal.

Prevention of Credential Stuffing

Preventive countermeasures might not be able to erase the attack completely. However, it does help your organization to reduce at least a significant portion. Moreover, looking at the current scenario organizations definitely need to implement preventive measures so that they don’t learn the lesson in an expensive way.

According to the article from Dark Reading, there were 1.3 billion credential stuffing attacks recorded in the third quarter of 2020 alone. Another article from Security Magazine mentioned the attacks doubled in Q4 as compared to Q3 and it was increased by nearly 90% as compared to Q1in 2020.

To help you with what your organization needs to implement to mitigate the risks of credential stuffing attacks, I have listed below five preventive measures.

  1. Educate your employees on password policies. Ensure they use unique passwords for different accounts so that at least other accounts would not be accessible when one gets compromised. Additionally, they should also understand the risks of sharing passwords.
  2. Implement multi-factor authentication to add an extra layer of security in case the password gets compromised or stolen. Adding an extra layer of security with MFA forces cyber criminals to verify your email account through other devices or applications.
  3. Use a captcha or something similar that requires a human response to login. Captchas or challenge-response tests help in identifying if it’s a human or a machine who is trying to log in to the account.
  4. Encrypt all files that store personal information so that a data breach doesn’t reveal any details.
  5. Develop an incident response plan and rehearse it frequently so that everyone connected with the organization is familiar with their roles and responsibilities to secure the organization.

I hope this blog helps you find the information on how to defend the emerging and increasing credential stuffing attacks. If you have more suggestions on how to prevent the attack, please comment down below. You can also follow our blogs to find the latest information on cyber security and threats.