Credential stuffing is a type of cyber attack that involves ‘stuffing’ stolen credentials into multiple websites.
Tools like bots have allowed hackers to automate the stuffing, allowing them to test millions of login credentials against dozens of sites in a short period. Here’s what you need to know about this attack and the simple ways you can protect yourself.
What is Credential Stuffing?
Credential stuffing involves cramming a large collection of stolen passwords and usernames into multiple websites. They depend on monster breaches and leaks peddled on the dark web for their data. The goal is to use the millions of login and username combinations from previous leaks to infiltrate other websites.
Did you know that the reuse of #passwords and the lack of #multifactorauthentication pave the way for #credentialstuffing attacks. In fact, The FBI says 41% of all financial sector attacks between 2017 and 2020 were due to credential stuffing. https://t.co/h99KM6RPL7 pic.twitter.com/4IEEEwbZ2n
— Simon Heslop (@supersi101) December 9, 2020
They rely on one human error to make their attacks successful—using the same username and/or password across multiple sites. According to research, a whopping 85 percent of all users recycle their passwords on different accounts.
And it’s this sort of thinking that allows cybercriminals to use login credentials from one website breach to get into other services.
The success rate is pretty low at .1 to around 2 percent. This means that for every million login credentials tested, only around 1,000 credentials can be used to get into other websites. But what makes their efforts worth it is the goldmine of data they can collect from every account they infiltrate.
Say they manage to hack around a thousand accounts and these have banking information or credit card credentials. They can siphon funds or use these to commit other forms of fraud. Other Personally Identifiable Information (PII) like social security numbers or tax information can be used to commit crimes like identity theft.
Cybercriminals monetize whatever they find in each account which makes the attack worth the effort despite the very low login matching rate.
How is a Stuffing Attack Carried Out?
Of course, hackers don’t manually input stolen login credentials one by one into different websites since they need millions (or even billions) of stolen login credentials to make the attack worth it.
Instead, cracked credentials from data breaches are loaded into botnets that launch automated login attempts. They then use further tools to evade detection.
A single botnet can make thousands of login attempts per hour. For example, a credential stuffing attack in 2016 used a botnet that sent over 270,000 login requests across multiple sites per hour.
How Can Stuffing Attacks Evade Detection?
While many sites use security measures to detect multiple rogue logins, hackers have found ways to circumvent these measures.
A proxy list is used to bounce requests around and mask the source or, simply put, make login requests seem like they’re coming from different locations. They also use other tools to make it appear like the multiple sign-in attempts are coming from different browsers.
This is done because multiple login attempts from only one type of browser (a thousand per hour, for example) look suspicious and have a greater chance of getting flagged as fraudulent.
All these techniques mimic the legitimate login activity of thousands of users across different locations. This makes the attack vector simple, yet difficult to detect.
What’s the Difference Between Credential Stuffing and Brute Force Attacks?
Credential Stuffing is a sub-type of brute force attack that is much more potent because it is more targeted.
A brute force attack essentially involves guessing passwords using different random character combinations. They use automated software to make multiple guesses by testing several possible combinations until the password is discovered. It is done without context.
Credential stuffing, on the other hand, uses login details and passwords from previous data breaches. They use a password-username pair from a leak from one website and then test it on other services.
While using strong passwords can protect you from brute force attacks, this is useless if you use the same password on other websites, when a stuffing attack is launched.
What’s the Difference Between Credential Stuffing and Credential Dumping?
While it may seem the same, credential dumping is a different type of attack that targets one entry point or machine to infiltrate a network.
While credential stuffing uses multiple login credentials from previous breaches to get into other websites, credential dumping involves getting into one machine and extracting multiple login credentials.
This is done by accessing cached credentials in the computer’s many registries or extracting credentials from the Security Account Manager (SAM) database. The latter contains all accounts created with passwords saved as hashes.
The credential dumping attack’s goal is to get a foothold into the network or admission into other computers in the system. After pulling login credentials from one machine, a hacker can re-enter the device or gain access to the entire network to cause more damage.
Unlike stuffing, a credential dumping attack uses one entry point, one machine with unpatched vulnerabilities to infiltrate a network.
How Do You Protect Yourself From a Stuffing Attack?
For most users, the best and simplest way to protect yourself is to use unique passwords for every website or account. At the very least, do this for those that have your sensitive information like banking or credit card details.
Enabling two-factor authentication (2FA) or multiple-factor authentication (MFA) helps make account takeover more difficult for hackers. These rely on a secondary means of validation, i.e. sending a code to your phone number as well as requiring your username and password.
If you find remembering multiple passwords and usernames confusing you can use a reliable password manager. If you’re unsure about their security, check out the secure methods password managers use.
Or try an open-source password manager.
Protect Your Passwords
Your password is like a key to your house. It needs to be unique, strong, and most importantly, you need to keep it in a safe place at all times.
These also need to be memorable and secure. You can explore different password tools that can help you make unique yet memorable ones that are difficult for hackers to crack.