Credential stuffing is a phishing attack in which threat actors use the credentials obtained from a data breach to log in to another unrelated service. For example, an attacker may use a list of passwords and usernames that he got from a breach of a department store and use these login credentials to log in to the website of a national bank. The malicious actors work on the notion that a fraction of department store customers also have a bank account and use the same login credentials for both services.
Alarming Statistics Pertaining to Credential Stuffing Attacks
The following statistics highlight the need to address the growing issue of credential stuffing:
- The F5 annual Credential Stuffing Report 2021 states that credential spill incidents approximately doubled from 2016 to 2020.
- It further adds that organizations were slow in detecting cyber intrusions, taking 327 days on average to discover credential spills. The median time was 120 days, and the most prolonged period to detect the phishing attack was six and a half years!
- According to a report by Arkose Labs, 1.3 billion phishing attacks occurred in the third quarter of 2020, with over 770 million using credential-stuffing techniques. While it is not the first report to note the rise of pandemic-related credential stuffing, it is the latest that confirms its magnitude.
- According to a report by Akamai, 2020 saw 193 billion credential stuffing attacks worldwide, with over 3.4 billion phishing attacks hitting financial services organizations – an increase of over 45% year-over-year in the sector.
Difference Between Brute Force Attacks And Credential Stuffing
Organizations’ primary mistake when choosing an anti-malware solution against these attacks is that they sub-categorize credential stuffing attacks under brute force attacks. However, there are significant differences between them. While Brute force attacks try to guess passwords with no clues or context, credential stuffing utilizes exposed data, significantly reducing the number of possible correct answers. Thus, strong passwords may be robust anti-phishing protection against brute force attacks but are insufficient for credential stuffing.
How Threat Actors Launch Credential Stuffing Attacks
Essentially, there are three necessary steps for carrying out a credential stuffing attack:
Data Harvesting: Before attackers launch a credential stuffing attack, they need databases that contain valid emails, usernames, and passwords. They are readily available on the internet or the dark web.
Validating Accounts: Once equipped with the data, they try to obtain valid username-password combinations. Hackers deploy bots, human click farms, automated scripts, or a combination to do this quickly.
Monetize Attack: Next step is monetizing the attack, which hackers complete by selling the credentials on the dark web or third parties.
Why Do Organizations Need to Worry About These Attacks?
Organizations seeking to deploy the best phishing protection must understand that credential stuffing attacks are easy and cheap to launch and can cause enormous losses to them, both indirect and direct.
- Direct losses include costs linked with restoring user accounts, remediating the attack, and refunding the amounts stolen from user accounts. Since resetting one compromised password costs enterprises nearly $70, inadequate anti-malware losses can cost businesses millions every year.
- For operational costs, organizations experience an increased burden on legal and compliance teams, increased calls to contact centers, and the need for additional anti-malware and email phishing protection protocols. Large organizations may spend over $2 million a year in call center costs to help users reset passwords. Furthermore, the automated login attempts put undue strain on IT infrastructure and server usage.
- Another impact of these attacks is that they create negative publicity and disgruntled customers, which cause irreparable damage to the brand’s reputation. In today’s social media age, where reviews and ratings play a crucial role in building a brand, any angry complaint or adverse comment can adversely impact customer acquisition.
Ways to Prevent Credential Stuffing Attacks
Cyber-criminals use these lists and combine them with advancements in credential stuffing tools to get around traditional anti-phishing solutions. Here are the ways to prevent your organization from credential stuffing attacks –
- Use unique passwords for each service: The first step to mitigate the chances of credential stuffing is to use different passwords. Since an average person has over a hundred accounts and it is challenging to generate and remember unique passwords, they can create an encryption rule to create unique, and robust passwords.
- Use a web application firewall (WAF): IT teams must make a reliable web application firewall (WAF) inherent to their anti-phishing solution, which will detect abnormal traffic from botnets. Although they cannot solely prevent credential stuffing attacks, they can make suspicious login attempts.
- Credential Hashing: Hashing scrambles a user’s password before organizations store it in their database so that if it is stolen, a malicious actor will not be able to use them.
- Multi-Factor Authentication (MFA): It is a highly effective way to prevent phishing attacks like credential stuffing. It requires users to authenticate themselves using another authentication form, in addition to a username-password combination. For example, it can be a one-time code sent to the user’s device, biometric authentication like a fingerprint, or an email to a secure account.
- Implement IP Address Deny lists: Since threat actors work from a limited pool of IP addresses, IT teams can recognize and block IPs that attempt to log into multiple accounts.
Credential stuffing attacks are easy and cheap to deploy, and hence, their popularity with criminals increases with time. Even if your business isn’t affected yet, you must not consider anti-malware and anti-ransomware solutions as the one-stop solution for all security needs. A robust anti-phishing strategy is a must, and enterprises must understand that passwords as the primary means for authentication do not provide the security required in today’s times. Furthermore, better phishing safeguards have no longer remained optional but have become a necessity in today’s evolving threat landscape.