As part of our ongoing blog series on the modern threat landscape, we are taking a look at some of the many threats and risks that are often missed by legacy WAFs and security tools. Unlike traditional injection and XSS attacks, this newer breed of attacks excels at evading traditional signatures and regex rules, allowing attackers to do damage while staying under the radar of security. For additional background, you may want to check out our introductory blog that covers some of the traits these new threats share in common and how they will often be used together as part of a patient, coordinated attack.
However, in this blog, we are going to focus on credential stuffing. This has become one of the most common and significant threats facing organizations today and is a risk for virtually any application that has login functionality (which is to say most applications). Let’s take a closer look at what exactly credential stuffing is, how it can be a challenge to control, and what sorts of things organizations can do to defend themselves today.
What Is Credential Stuffing
In a credential stuffing attack, attackers attempt to reuse credentials that were compromised in a previous breach in order to log in to another website or application. For example, take the recent RockYou data breach, which exposed 32 million user passwords. Knowing that many end users will often reuse the same password on multiple sites, attackers can take these breached credentials and try them on other high-value applications, such as a bank or online shopping account.
Since data breaches are a relatively common occurrence, attackers have an almost never-ending trove of credentials that they can try against a virtually endless supply of targets. In fact, a recent study has found that there are approximately 15 billion stolen logins stemming from around 100,000 breaches. This leads to somewhat of a cybersecurity feedback loop in which one breach can fuel downstream impacts to other apps and accounts.
The Value of Compromised Accounts
Credential stuffing plays a key role in the underground hacker economy. Naturally, an attacker could seek to directly profit from a compromised account. However, more often than not, access to the account is resold to other actors on the dark web and underground forums. This is an example of the ongoing specialization seen in criminal ecosystems in which certain actors will specialize in gaining access, while others will specialize in using the access to commit fraud or other activities.
These attacks are so common that compromised accounts have well-established commodity prices based on the value of the account. For example, financial and payment services accounts such as banking accounts, PayPal, or Western Union accounts can fetch between $30 and $120 depending on the amount of money in the account. A wide variety of retail accounts are also prized targets with compromised Amazon accounts going for an average of $30. Social media accounts are likewise common targets. These accounts can be used in astroturfing campaigns or can be used to spearphish and spread malware to users in a victim’s social network.
Challenges of Detecting Credential Stuffing
Credential stuffing techniques are able to sidestep traditional WAF signatures and rate-based rules for several reasons. Most notably, the techniques do not rely on an exploit or other overt malicious action, and instead, use/abuse the exposed functionality of an application in unexpected ways. In this case, the attacker, usually in the form of a bot, is using the application’s login functionality in much the same way that a valid user does.
Additionally, since attackers have many username/password combinations to cycle through, the work is typically done by a large, distributed botnet or other forms of malicious automation. This not only speeds up the work, but it allows the attacker to distribute the attack over a large number of IP addresses so that it isn’t obvious that the attack traffic is coming from a specific set of IPs. And unlike a brute force attack, credential stuffing attacks don’t typically try to iterate through multiple passwords for a given account. They simply try the stolen name/password pair, and if that doesn’t work, they move on to the next. As a result, rules that lock out an account after a certain number of failures will never trigger.
This all results in a situation where the attackers can blend in with valid users. On aggregate, it may be obvious that an application is under attack because it is inundated with login traffic. But for each login attempt, security teams often have no way to know which attempt is malicious and which is a real user.
Impacts of Credential Stuffing
Credential stuffing leads to a wide range of problems. Most obviously, a successful credential stuffing attack paves the way for an account takeover or ATO. We will look at ATOs in more depth in future blogs. However, suffice it to say, attackers can abuse a compromised account in a variety of ways to commit fraud and pursue other malicious goals. Financial accounts can be used to steal funds, retail accounts to illegally buy items, and social media accounts can sway opinions or spread malware.
However, the influx of traffic from a credential stuffing attack can also quickly overwhelm an application’s resources, leading to a denial of service situation. One industry analysis estimates that, on average, 16.5% of traffic on a login page is tied to credential stuffing. However, this can be a drop in the bucket when a specific group sets its sights on a particular application or industry. For example, in a recent series of credential stuffing attacks targeting credit unions, we were able to detect that 90% of traffic was malicious, and automatically block that traffic from ever reaching the target customers’ servers.
How ThreatX Protects Against Credential Stuffing
As seen in the previous example, ThreatX has considerable real-world experience in mitigating bot-based attacks, including credential stuffing. The platform is able to do this by bringing together a variety of detection and analysis techniques to reliably separate the valid users from the malicious bots. While the details are naturally always changing as we adapt to stay ahead of attackers, we have highlighted some of the most important traits below:
- Active Interrogation of Visitors: ThreatX actively challenges visitors in ways that are completely transparent to valid users but can cause a bot to reveal its identity. This could be observing how the entity responds to automated challenges such as how the entity handles javascript or other types of code.
- Advanced Fingerprinting: ThreatX leverages some of the most advanced fingerprinting techniques in the industry in order to reliably identify and track malicious entities and infrastructure over time. This allows the platform to recognize attackers even as they change IP addresses, user agents, or other identifying characteristics.
- Automated Deception Techniques: The platform can introduce deceptive techniques such as fake fields that are readable to bots but invisible to users. Any interaction with these fields or functions can reveal that the visitor is a bot and not a human.
- Attacker and Application Behavior Analysis: In addition to tracking complex behaviors over time, ThreatX can identify atypical behavior at the user or application level. For example, if a visitor is able to fill a login form with abnormal speed or if applications seem to be getting overloaded with login traffic.
- Global Correlation and Tracking: By fingerprinting attacking entities, ThreatX is able to track their behavior across the Internet and across organizations. This allows organizations to benefit from intelligence gathered in previous attacks and preemptively block threats before the attack even gets started.