We have written about Credential Stuffing Attacks previously, so this is largely an update for that blog post with some additional information and research that has just come to our attention.
Firstly, lets define what this means.
A Credential Stuffing Attack is where a cyber attacker will attempt to gain access to a computer system (e.g. your favourite shopping website) using information often gained in data breaches. The attacker will typically try previously disclosed credentials en-mass to try to gain access. This is also typically automated, resulting in thousands of credentials being tried in a very short time.
A report has recently come out from a company called Recorded Future on what they call ‘The Economy of Credential Stuffing Attacks‘.
The research indicates that there is a large underground market on the dark web for email address/username and password pairs that have been disclosed as part of data breaches. It is relatively easy to buy these on the dark web, although this is something I would never recommend since you are probably committing a crime just by acquiring this information in some countries.
The raw material of this are the massive data dumps resulting from data breaches we see on a regular basis. You only have to follow Troy Hunt on Twitter and his website ‘Have I Been PWND‘ to realise there are a large number of such data breaches occurring ranging from the small/a few thousand, to the breach involving the Marriot Hotel last year with 350m disclosed accounts and personal details.
Once the raw material has been purchased by the attackers, they then purchase software that will automate the en-mass checking of these credentials by brute forcing logins. Once set running, this software (referred to as a Bot) will just keep trying different combination of username and password until they get a match and can login to an account. Once they get one, it is logged and then resold as a valid username/password pair on the dark web. They also use what are called proxies, which are services that serve to obfuscate the source IP Address so as to defeat any IP based lockouts imposed by the targeted website.
A defence against this is to:
- Not to re-use username/email address and password combination across multiple web sites
- Use a password manager to help you to randomise your passwords and to regularly refresh them
- Use 2-Factor Authentication techniques
- Adopting best practice techniques
- Do not write down username/passwords in public places, e.g. on a post-it note on your monitor
- Do not share username and passwords.
2 Factor Authentication (where you provide a one-time code generated by an App, or sent to you vis SMS – 2FA) is not a total defence, largely because people do re-use easily guessable passwords. While the target site might challenge for second factor, another website where you have re-used the credentials maybe wont. The fact that they get to the second factor prompt implies that they have passed the initial checks for the tested username/password. A tactic used by these cyber criminals is to immediately check other websites with the recently paired credentials to see if they can get in elsewhere.
However, not all websites offer 2-Factor Authentication, so the only defence is to have a random, highly complex and long (>16 random alphanumeric characters and symbols) and not re-use this password anywhere else. Password managers can help to ease the friction of using such complex/random passwords.
In addition, typical 2-Factor passcodes are 6 digits, and will typically last 30s. If this is automated, it wouldn’t take long to go through a large percentage of the 6 digit codes automatically to see if one works. And once a hacker knows something is protected by 2FA, they will just keep coming back and trying again until they eventually get in or use social engineering to get passed that step.
The shear economy of this is staggering in that how much these cyber criminals can make by selling matched credentials. The Recorded Future report shows the following:
- Checking software can be purchased for $150 on the dark web
- A database of breached usernames/passwords could cost around $150 for 100k records
- A Proxy could cost $250 a week.
Username/Password pairs can go for anything between $1 and $3.50 each depending on the value of the site being attacked. For an initial outlay of around $550, the gross profit from the top 9 websites quoted in the report is in the region of $20,000, which is a around a 3600x return on investment (ROI). Of course you have to host your software somewhere, and you probably want to use a VPN, which does increase costs a bit (or use TOR which is free), but does not really dent the ROI. The additional danger is that law enforcement will be looking for this kind of activity as will VPN providers (which will in all likelihood be against their T&C’s) and website hosts who may put in place specific defences against this kind of attack.
This is also before the credentials are used to gather additional income through use of malware, ransomware and fraud. High value accounts can also be taken over by cyber criminals and either held to ransom or used for their own illegal purposes.
Everyone is vulnerable to this, as most of this activity is automated.
What are the defences against Account Take Over (ATO)?
- 2 Factor Authentication can provide an additional level of security
- Good password practice – do not re-use, complex/long passwords, use a password manager
- Ensure you have recovery steps added to your account.
Recovery steps can be:
- Enabling a specific recovery code provided by the website
- Logging a mobile number and recovery email account with the website
- Setup SMS alerts for each new login attempt (Facebook does this)
- Your 2FA authenticator app may have automated prompting for authentication (the Microsoft Authenticator and LastPass Authenticator does this for some websites)
- Establishing security questions, but if you are being targeted the answers will typically be able to be obtained from social media and other sources.
Most corporates won’t impose 2FA on internal accounts, but will typically impose this on remote access VPN’s. If you are providing remote access to company resources, you are best to invest in some form of VPN for your employees.
Additional Information can be found at the following locations within our website:
- Our blog on Bot Based Credential Stuffing
- Guidance on the Effective Use of Passwords
- Our Glossaries on Cyber Security Terms and Abbreviations
- Our Latest Blogs and Guidance pages where you can acquire specific guidance on various subjects.
TechRadar also compile a list of the top Password Managers. It’s worth looking back at this site on a regular basis, and we will be compiling a blog on our own research in using Password Managers at a later date. Other websites may also maintain such lists.
Headline image provided by Shutterstock