Credential-Stuffing Attacks a Universal Key for Threat Actors
By Isaac Palmer
There’s hardly an industry immune to credential-stuffing attacks, a threat actor tactic that has a potentially high payoff with a relatively low lift for the perpetrator.
Billions of credentials have been dumped across the surface web during this decade, and more and more are regularly churned up on unindexed, invite-only and password-protected corners of the internet. Very few attacks at a criminal’s disposal have this type of support infrastructure for the taking, including the freely available automated tools that are used to carry out credential-stuffing attacks.
Credential stuffing is effective not only because of the abundance of stolen and leaked credentials readily available, but also because of the practice of password reuse.
Password Reuse Feeding Credential Stuffing Fire
Password reuse is the 2019 poster child of poor security hygiene. It’s actually a decades-old problem that only gets worse as services critical to everyday life move online.
This means that consumers and employees at their desks every day need to remember an unmanageable number of username-password combinations to pay their bills or meet their responsibilities at work. A Digital Guardian study late last year determined that the average email address is associated with 130 accounts, 67% of password quality is rated weak or very weak, and password reuse is highest among those entering the workforce from 18-24 (76%), and it doesn’t get much better the older you get.
All of this is gasoline on a raging fire.
Flashpoint analysts have looked at the credential stuffing landscape and have identified a number of other factors facilitating these types of attacks.
Credential stuffing is a highly active area of interest among buyers and sellers operating within illicit online communities. Criminals are intent on finding and targeting organizations with login portals that lack some kind of rate-limiting protection, such as a CAPTCHA or timeouts on multiple attempts. Sites lacking these types of defenses are a boon for threat actors using credential stuffing or brute-force attacks. It’s low-hanging fruit for an attacker to script a brute-force attack to attempt millions of credential pairings until a login works.
Some of the tools used in these types of attacks, meanwhile, require configuration files that define a target’s parameters in order to properly carry out a credential-stuffing attack. These files are made and traded among criminals online in order to attack sites.
Websites that only use session cookies to authenticate their users are particularly vulnerable; a successful attack would only require passing stolen cookie data with a stolen credential set to mimic a legitimate user session. This is the basic process that brute force testers follow for attacking poorly secured sites.
Threat actors will also often resell vetted, working accounts for a victim’s site as a separate offering on the underground markets. In many cases, the victims’ accounts may be drained of funds—cashed out—by the attacker when there is a monetary balance associated with the account.
It’s unlikely that breaches and credential dumps will abate any time soon. Therefore, it’s critical to have visibility into credentials that are available online and have the ability to safely and securely check your organization’s against those that have been breached and dumped online.
Flashpoint analysts also recommend a number of technical mitigations be put in place to curtail credential-stuffing attacks, starting first and foremost with the implementation of two-factor authentication. They also remind consumers and business users alike not to reuse the same password for multiple online accounts, and that complex passwords, or password managers are a secure alternative to reusing passwords.
Technical mitigations include:
• Robust login security controls and strict enforcement of session states greatly reduces a website’s susceptibility to attacks from credential stuffing tools.
• Captchas are suggested, as well as timeout attempts and rate limits set to block per IP address.
• It is also suggested that caution be used before allowing a session cookie to be used on multiple IP addresses, within a short amount of time.
• Timeouts on authorized sessions should be considered, however they should also be approached with extreme caution as not to log out legitimate users frequently (thus creating customer frustration).
• If a session is seen being reused within a short period of time and spanning many IP addresses, this is likely a good indication of a credential stuffing attack. The session cookies associated with the activity should be revoked server side and the associated traffic should be further analyzed where logging is enabled.
Senior Analyst II
Isaac Palmer is a Senior Analyst II on Flashpoint’s Hunt Team who has more than 20 years of experience in computer security. He has advised multiple U.S. government agencies in various capacities and has been featured in major online media outlets around the world including Infosecurity Magazine, SC Magazine, and SecurityWeek, among many others. Isaac was a noted contributor to the DGA Archive project presented in Paris, France during BotConf2015.