Catching Complex Threats: The Rise of Credential Stuffing
Every day, the number of threat types, attack vectors and exploitation methods that organizations must address grows exponentially. One such vector that has taken off over the last year – and continues to gain momentum – is credential stuffing, where attackers use e-mail addresses and passwords stolen from one site to attempt to access other sites. The attacks are enabled by easy-to-use software applications and widespread botnets that can take lists of compromised user credentials and try to log into a variety of sites.
A recent report published by Internet infrastructure firm Akamai reveals that the company documented nearly 30 billion credential stuffing attempts in 2018. On average, Akamai saw more than 115 million attempts to use stolen credentials per day, with that number spiking to more than 250 million attempts per day three times throughout the year.
"This is not something that just happens to someone else," he says. "This is not something that you can ignore. It is a constant problem." - Martin McKeay, security researcher and editorial director at Akamai.
Because it’s common for people to reuse the same username and password combination, attackers leveraging the credential stuffing method are often able to gain legitimate access to multiple accounts. The end result is typically account takeover, which then allows them to engage in fraudulent transactions or steal additional confidential information.
While no industry is immune to the dangers of credential stuffing, the most targeted include retail, media streaming, entertainment, and banking due to the troves of personal and financial data they typically have stored on their systems.
News headlines align with this data point, with leading brands like Nest, Dunkin' Donuts, and OkCupid falling victim to credential stuffing attacks this year. Just last month, the Japanese clothing empire Fast Retailing announced two of their online stores had been hacked following a credential stuffing attack. The harrowing result? A third party was able to access more than 450,000 customer accounts containing personal and sensitive information.
While it seems that this is a consumer-facing problem, the effects are certainly cascading over into the enterprise as the individual user plays an increasingly critical role in organizational security. User actions, awareness levels and overall security hygiene have the potential to both arm attackers with the sensitive information needed to carry out credential stuffing attacks and grant them unfiltered access to company network and systems if preyed on.
Key Behavioral Drivers
Exposed/ Publicly Accessible Credentials: The sheer number of username and password combinations now floating out in the wild is undoubtedly a primary driver of the skyrocketing number of credential stuffing attempts, as well as their ever-increasing success rate. Security provider SpyCloud reports the number of exposed credentials recovered in 2018 reached nearly 3.5 billion, originating from 2800+ different sources. One massive repository alone, found on the dark web earlier this year and dubbed “Collection #1,” contained 773 million unique email address and cracked password combinations.
But user credentials are not available for sale in the very dark corners of the web. In many cases, they are readily available on easy-to-access public cloud storage and sharing sites. Over 50 percent of respondents in a Ponemon Institute survey agreed that the migration of applications to the cloud increased the risk posed by credential stuffing. And they have good reason to be concerned. The latest Dtex Insider Threat Intelligence Report reveals that 98% of the risk assessments conducted by our analysts last year found proprietary customer information publicly accessible on the web.
Blurring of Work and Personal: The lines between employees’ work and personal lives – and their work and personal devices – have blurred to the point of near non-existence. And this means that what employees are doing at home is not necessarily staying at home.
Looking again at Dtex data, every single risk assessment conducted last year – 100 percent – found employees accessing personal email on work devices. If a user falls prey to a phishing attack by clicking on a link in a personal email that is accessed from their work device, it opens up the front door to the company’s network, critical systems, and sensitive data.
The compromise of an employee’s personal account credentials can also mean that their work login credentials have been compromised, depending on the user’s security and password hygiene. A recent survey found that nearly 60 percent of individuals use the same password across multiple accounts – and 45 percent admit that, even after a breach, they’d be unlikely to change their password. And this trend of reusing account credentials across both personal and work accounts has significant repercussions as the number of compromised, stolen or leaked credentials continues to multiply.
Guidance / New Approach
All of this tells us that the user certainly needs to assume some portion of the responsibility. But we believe it is both unfair and unwise for organizations to hold them 100 percent accountable.
OkCupid is adamant that the hacks aren't a result of a data breach or security lapse at the dating service itself. Instead, the company says that the takeovers are the result of customers reusing passwords that have been breached elsewhere. "All websites constantly experience account takeover attempts and there [hasn't] been an increase in account takeovers on OkCupid," a company spokesperson said in a statement.
There are steps that organizations can take to protect both their vulnerable users and their sensitive data. And there are safeguards that can be put into place to account for user error or negligence, and the inevitability that human mistakes will happen.
The same Ponemon report referenced earlier notes that an overwhelming number of organizations reported having difficulties with detecting credential stuffing attacks (81 percent), as well as distinguishing between real employees and the criminal and imposters who are accessing their systems via compromised credentials (83 percent).
In order to effectively detect, mitigate, and remediate credential stuffing attempts relies, two critical components must be in place: the ability to identify and understand areas of elevated risk, and the ability to understand anomalies in user behavior or activity to distinguish legitimate users from outside infiltrators or attackers.
Areas of Risk: Are you able to identify which employees are accessing personal email accounts on their work laptops? Are you able to see where users might be slipping by security measures and policies so you can close those gaps? The current tendency is to put blocks or rules in place, but more often than not, users are getting around them and without the organization when, where, and how. Complete, user-focused visibility is essential here. Without the ability to see high-risk activity taking place, and the user engaging in it, it is essentially impossible to step in before it’s too late.
Anomaly Detection: Having complete visibility doesn’t equate to having a complete solution, however. In order to detect – and hopefully mitigate – a credential stuffing attack in progress, there also needs to be a level of intelligence applied. It’s the ability to not only see but understand what constitutes normal user behavior that makes it possible to detect any anomalies in that behavior. How do you know if a user's account has been taken over? One glaring red flag is if their behavior suddenly becomes wildly different than it once was.
There also needs to an alerts system in place that can effectively communicate any anomalies and highlight exactly where and when suspicious activity is occurring. Pinpointing high-risk behaviors or users shouldn't feel like digging for a needle in haystack. Intelligence-driven alerts ensure that anomalous or risky activity is prioritized and can be acted upon.
Complete Audit Trail: Finally, it’s worth acknowledging the plain and simple truth that - even with comprehensive safeguards in place - it is nearly impossible to prevent every credential stuffing attempt and ward off every attack. This underscores the importance of a third, supporting element: the ability to generate a full, unbroken audit trail after an incident.
An unbroken chain of user activity data makes it possible to answer key questions quickly and take swift action to remediate any damage. It also allows you to determine the origin of a credential stuffing attack - like how a user fell victim to a phishing attack – so you can address the root of the issue and mitigate future occurrences.
To learn more about why Dtex is uniquely positioned to help you see and understand all user activity, and detect all types of insider threats – including credential stuffing attacks – click here.