A type of credential reuse attack known as credential stuffing has been recently observed in higher numbers towards industry verticals. Credential stuffing is the process of automated probing of and access to online services using credentials usually coming from data breaches, or bought in the criminal underground.
Even though users are not at fault of the online breaches that are usually the prime source of these accounts, they are definitely exposed not only at the immediate time the breaches have occurred but also time after, once these dumps of credentials are stored, shared and sold in the underground.
What is the value of an account?
Accounts can have significant value depending on context and the data that malicious actors are pursuing. Accounts can be found for sale not only in the dark web but also in the clearnet.
Account market on clearnet
The value of these accounts that have been stolen, purchased or found in the very large data breach dumps gets higher if it allows criminals to access financial services. Recent reports by AKAMAI technologies and Shape Security indicate that the most targeted services in this type of attacks are retail, social media, financial, travel and hospitality.
These attacks are unfortunately fueled by three elements:
What can we do about it?
There are many things that can be done from the user’s side and organization’s side to protect against these types of attacks. There has been some chatter about getting rid of passwords altogether, which some services have done, using time-based one time password type applications.
Figure shows passwordless Microsoft online email service
This is definitely a step ahead, but not all online institutions can set up passwordless authentication and some of these setups require several steps that many common users are not willing to go through. Institutions should at least protect authentication data with the highest possible encryption mechanism available, and make sure that in the event of compromise, such credentials cannot be reused. Companies also can enforce password policies that will force users not to repeat or choose easily guessable passwords as well as enforcing multi-factor authentication. There are also several measures that can be applied to fight credential stuffing attacks.
From the user’s perspective there also some measures that can be taken to prevent these attacks.
JASK Research team took a deeper look at credential stuffing attacks, tools, detection and mitigation in this latest Threat Advisory.