An easy guide to Credential Stuffing Attacks – How businesses can Detect and Prevent it?
Wondering if you have been a victim of a Credential Stuffing Attack? The answer is most likely YES! Surprisingly via platforms or applications of famous brands! Indeed, credential stuffing attacks are more common than you think; Here are some of the shocking data breaches which conclude that Credential Stuffing Attacks’ can happen to any brand, big or small.
8fit
In 2018, 8fit, a health and fitness service app, suffered a data breach. After the violation, the attacker initiated the credential stuffing attack and later sold it on the dark web marketplace in February 2019.
Compromised data: Email addresses, Genders, Geographic locations, IP addresses, Names, Passwords.
BigBasket
In 2020, Bigbasket witnessed a data breach that impacted all its users. Before leaking the data publicly, the attacker was selling the data on the dark web.
Compromised data: Dates of birth, Email addresses, IP addresses, Names, Passwords, Phone numbers, Physical addresses.
Canva
In 2019, the famous brand Canva, a graphic design tool website, suffered a data breach. This Attack impacted 137 million Canva users.
Compromised data: Email addresses, Geographic locations, Names, Passwords, Usernames.
Dunzo
In 2019 June, the Indian brand Dunzo, a hyperlocal delivery service, suffered a data breach. This incident impacted 3.5 million unique email addresses.
Compromised data: Device information, Email addresses, Geographic locations, IP addresses, Names, Phone numbers.
Recently, the internet has witnessed an unprecedented increase in Credential Stuffing Attacks. Cybersecurity experts have issued warnings and alerts against it.
In this blog, we will decode what Credential Stuffing Attack is, the cause of its rise, and how to prevent it.
Decoding Credential Stuffing Attacks for Beginners
Credential Stuffing is a cybercrime happening all around the globe. It occurs when a hacker obtains many stolen or leaked login credentials (Username and Passwords) of one website and tests them on other platforms.
For example, the “Username and Password” of Email are the same as their bank accounts. Taking advantage of this, hackers acquire account credentials of platforms like Email that mostly have common or long-term passwords and use them to access crucial platforms like bank accounts to execute the fraudulent activity.
Is it Risky?- Indeed!
The hacker with unauthorized access attacks the victim’s bank account, e-commerce, or OTT account by drawing off funds, stealing credit or debit information or loyalty points, and sometimes committing another cybercrime.
When taking all the possible advantages, the attacker sells the credentials on the dark web to make more profit, which is just the beginning of another cybercrime story.
Usually, credentials data breaches are from the famous brands of EdTech, OTT platforms, e-commerce, and e-retail applications, for which many users share common or long-term passwords.
Reasons why credentials stuffing attack is so prevalent!
The universally accepted identity mechanism:
Credentials like “Usernames and Passwords” are the standard and trusted identity mechanism for access control. Almost all online portals or mobile apps grant access to users by identifying valid usernames and passwords.
Unfortunately, this type of authentication is partially secure since it relies on just one factor: Something the user knows which someone else can quickly learn, e.g., birthdays, names, regular terms, etc. Extra security requires users to provide additional and distinct authentication factors, such as code or a biometric feature such as a fingerprint.
People mostly reuse passwords for multiple accounts:
An average person has nearly 100 passwords, according to the research by Nordpass. Creating or remembering so many passwords is next to impossible. Hence it is apparent that many people reuse passwords for many or all accounts.
Taking advantage of this, attackers obtain legitimate credentials from one website and try their luck on other websites.
Outrageous data breaches continue to occur:
In 2005, we saw the first data breach of over 1 million records, followed by another breach of 94 million records. We thought this would be the most significant data breach, but the Yahoo data breach exposed an astonishing 3 billion records eight years later. The violations have continued to climb ever since.
A profitable crime – Low-Cost Entry, High Returns:
Credential Stuffing is a numbers game. Even a novice cybercriminal can test 100,000 credentials for less than 200$. Although the typical success rate is around 0.2 to 2%, the intruder can obtain anywhere from 200 to 2,000 accounts from a single attack. A million fraudulent login attempts could yield as many as 20,000 valid accounts for a cybercriminal willing to make a more significant investment. Attackers can run the same test on other websites with a similar success rate. After milking the advantages from the credentials, they can sell those ‘used’ credentials on the dark web to make more money.
A large window of opportunity:
The users are mostly unaware of the data breaches for months or even years after they occur. The average time of crime discovery or public disclosure is around 15 months; it gives the attacker a large window of time to intrude and abuse stolen credentials.
Is Credential Stuffing happening right now? How to detect it?
Attackers use botnets and automated tools that support proxies to distribute rogue requests across different IP addresses to perform the credential stuffing attack. Therefore, several login failures occur over a short period, which signifies that an attack is in progress. There are also some commercial web application firewalls and services which use advanced behavioral techniques to detect suspicious login attempts.
We know how to defend the attack – Here’s how…
MFA- Multi-factor Authentication:
Although some automated phishing and account takeover tools can bypass MFA, those attacks require more resources and are harder to pull off mass credential stuffing. Hence, MFA makes it challenging for attackers to perform fraud.
But due to the usability cost of MFA, many organizations provide it as an option. On the other hand, making MFA mandatory for all user accounts is considered too disruptive for business.
Hence a better way to prevent attacks is automatically enabling MFA for users at greater risk. For example, to allow MFA to users after several failed login attempts.
Additionally, recommend users make a strong password, a combination of special characters, uppercase, lowercase, numbers, etc.
CAPTCHA:
When users insert CAPTCHA, they prove they are human, which can reduce credential stuffing effectiveness. However, by using headless browsers, attackers can easily bypass CAPTCHA. Hence, combining the application of MFA, CAPTCHA with other methods can guard against attacks.
Block Headless Browsers:
Javascript can swiftly identify Headless Browsers such as PhantomJS used by the attackers. Headless Browsers are not legitimate and are undoubtedly suspicious. Blocking it can surely benefit.
Fingerprinting:
With the help of JavaScript, you can collect information about users’ devices and create a ‘Fingerprint’ for each session.
The fingerprint combines parameters like operating system, language, browser, time zone, user agent, etc. If several attempts with the same parameters log in, it will likely be a brute force or credential stuffing attack. With the combination of fingerprints and other parameters, enforce more severe measures, for example, banning the IP.
To capture more attacks, combine 2-3 standard parameters and implement less extreme measures like a temporary ban.
IP Blacklisting:
Another effective defense is to block or sandbox IPs that attempt to log into multiple accounts because attackers typically have a limited pool of IP addresses.
Rate-Limit Non-Residential Traffic Sources:
Identification of traffic originating from Amazon Web Services or other commercial data centers is easy. Mostly, this traffic is bot traffic and should be treated carefully than the regular one. Cap the rate limits and ban IPs with suspicious behavior.
Disallow Email Addresses as User IDs:
Credential stuffing relies on using the same usernames or account IDs across services, which is inevitable when ID is an email address. Restrain users from using their email address as an account ID to reduce the chance of using the same user/password pair on another site.
Invest in Cyber Security:
Cyber security preferences depend on the type of organization, the structure, the size, number of employees, locations, and other essential factors. The need varies depending upon the type of your organization. Here are a few helpful tips to get the bang for your buck out of your investment in cybersecurity.
With so much of our personal information existing on a digital platform, keeping it safe from cyberattacks can be daunting. On top of that, the malicious activity is getting better and better with the passing time. Therefore, learning and practicing prevention is the only way forward, learn more from the 5 key takeaways from the Facebook data breach.
We’ve tried to provide knowledge and input to help organizations and users understand the risk of the trending attack and some information on precautions to protect their business and interests. We aim to make the internet a secure place, and we hope this blog serves our commitment. Keep following us for more insights about safe internet.
