Credential Stuffing Examples and Sense Keys


As part of our ongoing blog series on the modern threat landscape, we take a look at some of the many threats and risks that are often overlooked by older WAFs and security tools. Unlike traditional injection and XSS attacks, this new generation of attacks excels at circumventing traditional signatures and regex rules, allowing attackers to do damage while staying under the security radar. For more information, you can check out our introductory blog which covers some of the common traits of these new threats and how they will often be used together in a patient and coordinated attack.

However, in this blog we will focus on credential stuffing. This has become one of the most common and significant threats facing organizations today and poses a risk to virtually any application with login functionality (i.e. most apps). Let’s take a closer look at what exactly credential stuffing is, how difficult it can be to control it, and what sorts of things organizations can do to defend themselves today.

To learn more about the new threat landscape and how modern attackers work, check out our new guide, What’s Below: What You Need to Know About the Modern Threat Landscape.

What is credential stuffing

In a credential stuffing attack, attackers attempt to reuse credentials that were compromised in a previous breach in order to log into another website or application. For example, take the recent RockYou data breach, which exposed 32 million user passwords. Knowing that many end users will often reuse the same password across multiple sites, attackers can take these hacked credentials and try them on other high-value applications, such as a bank or shopping account. in line.

Since data breaches are a relatively common occurrence, attackers have an almost endless trove of credentials they can try against a virtually infinite number of targets. In fact, a recent study revealed that there are around 15 billion stolen logins resulting in around 100,000 breaches. This leads to a sort of cybersecurity feedback loop in which a breach can fuel downstream impacts on other apps and accounts.

The value of compromised accounts

Credential stuffing plays a key role in the hacker underground economy. Naturally, an attacker could seek to take direct advantage of a compromised account. However, more often than not, account access is resold to other actors on the dark web and underground forums. This is an example of the continued specialization seen in criminal ecosystems where some actors will specialize in access, while others will specialize in using access to commit fraud or misuse. other activites.

These attacks are so common that compromised accounts have well-established commodity prices based on account value. For example, financial services and payment accounts such as bank accounts, PayPal or Western Union accounts can earn between $30 and $120 depending on the amount of money in the account. A wide variety of retail accounts are also popular targets, with compromised Amazon accounts costing an average of $30. Social media accounts are also common targets. These accounts can be used in astroturfing campaigns or can be used to spear and distribute malware to users of a victim’s social network. For example, Facebook accounts are usually sold for $65, Instagram accounts for $45, and Gmail accounts for $80. To learn more about the new threat landscape and how modern attackers work, check out our new guide, What’s Below: What You Need to Know About the Modern Threat Landscape.

Challenges of detecting credential stuffing

Credential stuffing techniques circumvent traditional WAF signatures and rate-based rules for several reasons. Specifically, the techniques do not rely on an exploit or other overt malicious action, and instead use/abuse an application’s exposed functionality in unexpected ways. In this case, the attacker, usually in the form of a bot, uses the login functionality of the application in the same way as a valid user.

Additionally, since attackers have many username/password combinations to sift through, the job is usually done by a large distributed botnet or other form of malicious automation. This not only speeds up the job, but allows the attacker to spread the attack across a large number of IP addresses so that it is not obvious that the attack traffic is coming from a specific set of IP addresses. . And unlike a brute force attack, credential stuffing attacks don’t usually try to sift through multiple passwords for a given account. They simply try the stolen name/password pair, and if that doesn’t work, they move on. Therefore, rules that lock an account after a certain number of failures will never fire.

This all leads to a situation where attackers can blend in with valid users. Overall, it may be obvious that an application is under attack because it is flooded with connection traffic. But for each login attempt, security teams often have no way of knowing which attempt is malicious and which is a real user.

Impacts of credential stuffing

Credential stuffing causes a wide range of problems. Obviously, a successful credential stuffing attack paves the way for an account takeover or ATO. We will look at ATOs in more detail in future blogs. However, suffice it to say that attackers can misuse a compromised account in various ways to commit fraud and pursue other malicious goals. Financial accounts can be used to steal funds, retail accounts can be used to illegally purchase items, and social media accounts can influence opinions or spread malware.

However, the influx of traffic from a credential stuffing attack can also quickly overwhelm an application’s resources, leading to a denial of service situation. Industry analysis estimates that, on average, 16.5% of traffic to a login page is related to credential stuffing. However, it can be a drop in the ocean when a specific group turns to a particular application or industry. For example, in a recent series of credential stuffing attacks targeting credit unions, we were able to detect that 90% of traffic was malicious and automatically block that traffic from reaching the target customers’ servers.

ThreatX blocks malicious traffic

How ThreatX protects against credential stuffing

As seen in the previous example, ThreatX has considerable real-world experience in mitigating bot-based attacks, including credential stuffing. The platform is able to do this by bringing together a variety of detection and analysis techniques to reliably separate valid users from malicious bots. While the details naturally change all the time as we adapt to stay one step ahead of the attackers, we’ve highlighted some of the most important features below:

  • Active visitor polling: ThreatX actively challenges visitors completely transparently to valid users, but can trick a bot into revealing its identity. This may include observing how the entity responds to automated challenges such as how the entity handles javascript or other types of code.
  • Advanced Fingerprint: ThreatX leverages some of the most advanced fingerprinting techniques in the industry to reliably identify and track malicious entities and infrastructure over time. This allows the platform to recognize attackers even when they change IP addresses, user agents, or other identifying characteristics.
  • Automated deception techniques: The platform may introduce deceptive techniques such as fake fields readable by robots but invisible to users. Any interaction with these fields or functions may reveal that the visitor is a bot and not a human.
  • Analysis of the behavior of attackers and applications: In addition to tracking complex behaviors over time, ThreatX can identify atypical behaviors at the user or application level. For example, if a visitor is able to fill out a login form with abnormal speed or if applications appear to be overloaded with login traffic.
  • Global Correlation and Tracking: By taking the fingerprints of attacking entities, ThreatX is able to track their behavior on the Internet and in organizations. This allows organizations to benefit from intelligence gathered from previous attacks and preemptively block threats before the attack even begins.

These techniques represent just a few of the techniques and countermeasures that ThreatX uses daily against credential stuffing attacks. Many of these same techniques are used to combat other types of malicious threats and automation that we will examine in future blogs. It is by design. Instead of designing specialized countermeasures aimed at specific threats, our philosophy at ThreatX is to build blended protection strategies capable of dealing with any threat. All available perspectives and techniques are applied and correlated to each event.

To learn more about the new threat landscape and how modern attackers work, check out our new guide, What’s Below: What You Need to Know About the Modern Threat Landscape.

The post Credential Stuffing Examples and Detection Keys appeared first on ThreatX.

*** This is a syndicated blog from Blog’s Security Bloggers Network – ThreatX written by Bret Settle. Read the original post at:


About Author

Comments are closed.