The number of cyber attacks and the variety of techniques used by hackers today are concerning. Even as organizations become more aware and take measures to protect their business, they are constantly facing an uphill battle.
As more hacks lead to data breaches, sensitive data on users’ credentials become available to hackers. This only makes matters worse for organizations, as such data become the basis for another method of cyber attack known as credential stuffing. As more user credentials become public through these breaches, attackers get access to more information that they can use to try and breach username and password combinations on other services.
What is Credential Stuffing?
Credential stuffing is a type of cyber attack in which credentials of users obtained from a leak are used to log into another service. This method works on the assumption that many users often reuse their credentials – usernames and passwords – across multiple websites and services. The attackers often employ bots to automate the breaches and scale their operations to breach a large number of user accounts.
The techniques employed by attackers have also become more sophisticated, with bots capable of circumventing IP blacklisting by attempting multiple login attempts from different IP addresses.
Credential Stuffing vs Brute Force Attack
Although credential stuffing falls under the category of brute force attacks, there are some factors that make it more specific. Brute force attacks, as their name suggests, attempt to login to accounts by guessing passwords and trying multiple combinations, often randomly with no context or hints. Credential stuffing on the other hand, does the same brute force login attempts, except with valuable information such as password lists gathered from leaked user data from other breaches.
Think of brute force attacks as a random guesswork-based attempt at logging in to an account or even an iPhone using passcode, by trying all possible combinations. Credential stuffing in that analogy, would mean doing the same thing but more effectively with fewer attempts, using a list of available usernames and passwords, or passcode combinations of real users.
How Does Credential Stuffing Work?
Credential stuffing starts with the attacker getting hold of a database of usernames and passwords from another source – a breach, phishing attack or credential dump site. Then using automation tools, the attacker tests these credentials against many websites including social media profiles, e-commerce marketplaces and apps. If a successful login is achieved, the attacker knows that the data they have acquired is legitimate and proceeds to use the access they have obtained through the login in a number of ways. They could either sell this newly acquired data for other malicious actors to use, send phishing messages or spam from this account, access sensitive financial information such as credit card numbers or even steal using the account holders’ finances.
What’s at Stake in a Credential Stuffing Attack?
Aside from the financial losses that individuals might incur from attackers gaining access to their accounts through credential stuffing, organizations too can face serious consequences.
In fact, according to a report from the Ponemon Institute, businesses lose around $6 million a year due to application downtime, customer churn and IT costs as a result of credential stuffing. On top of this, companies may also face legal action under data privacy laws such as GDPR as regulators are increasingly holding organizations accountable for such types of attacks.
How to Detect Credential Stuffing Attacks
There are some tell-tale signs that you can look out for that would suggest that you or your organization is being targeted through this method.
Look for Multiple Login Attempts on Multiple Accounts
If you observe a sharp and unusual rise in logins, chances are that there may be an automated bot that is carrying out a credential stuffing attack. You could lay down obstacles in the form of time delays and IP address bans of previous sessions where you detected repeated login attempts. But some bots can simulate what appear to be real logins by making it appear as if they are coming from different devices and IP addresses.
Stay Vigilant During Downtime Caused By Spike in Site Traffic
If you experience a sudden downtime caused by a spike in traffic to your website overwhelming your servers, that could also be an indication of a large-scale botnet-enabled credential stuffing attack.
Keep an Eye Out for Higher-Than-Usual Login Failure Rate
It is reasonable to expect some proportion of login attempts to fail, due to human error and other natural issues. But if the login failure rate is significantly higher than the norm, there could again be bots at play, trying to brute force their way into logging in by credential stuffing. Look out for the locations and traffic patterns as well as the speed at which repeated logins are attempted in these cases.
Tips on How To Prevent Credential Stuffing
In addition to the techniques described above for detecting credential stuffing attacks, there are some simple tips you can follow to prevent them altogether.
Enforce Multi-Factor Authentication (MFA)
The tried and tested multi-factor authentication (MFA) is still a sound method for preventing credential stuffing attacks. Since these types of attacks rely on login to a system using credentials available from elsewhere, adding another layer of authentication such as a token, a second passcode or biometric fingerprint or face recognition helps nullify the attack.
Try Device Fingerprinting
It is possible to detect potential credential stuffing attacks by spotting specific “fingerprints” based on information collected about user devices and incoming sessions. The fingerprint is essentially a combination of parameters such as browser, language, operating system, time zone and others which together suggest an identity. If the same fingerprint is seen several times in a short span of time for instance, or when other factors make it look suspicious, chances are that it could be a credential stuffing attack, and you should act quickly to thwart these.
The simple CAPTCHA programs, which test for a real human presence when logging in, can also be helpful in preventing credential stuffing attacks. But only to a certain extent, as attackers are increasingly becoming good at bypassing CAPTCHA tests using headless browsers.
Block Access of Headless Browsers
Headless browsers, which are browsers without a graphical user interface and which control web pages through command-line interfaces instead are often used by attackers to circumvent CAPTCHA and other tools mentioned above. It is possible to spot attacks coming through such headless browsers, using certain scripts that they employ. To take extra precautions, you should block access to headless browsers altogether.
Enforce IP Blacklisting
Despite having access to credentials obtained from elsewhere, the IP addresses used by attackers to make credential stuffing attacks look legitimate may still be limited. So one way to take action against such attacks is to block or sandbox IPs that try to log into multiple accounts. This is also where log history comes in handy, which can be used to compare the last few IPs that were used for logging into an account with that of the suspicious IP.
Rate-Limit Non-Residential Traffic Sources
Another way to act against credential stuffing attacks is to apply strict rate limits for traffic coming from suspicious sources such as Amazon Web Services. These are in most cases bot traffic and rate limiting puts a cap on the number of requests to a website to block the flood of activity that could be typical of credential stuffing.
Avoid Using Email Addresses as User IDs
It is not unheard of for people to use their email addresses as user IDs at account logins. But this makes it easy for attackers to use credential stuffing as a tactic, since they can try using email IDs as usernames on multiple websites. Make it clear to your users that they should avoid using email addresses as account IDs or usernames or even prevent this by making it a criteria for account creation and login.
Adopt Bot Detection and Management Tools
The most effective protection against credential stuffing is the use of a comprehensive bot detection and management service. These combine rate limiting with IP reputation databases to thwart suspicious login attempts while leaving the legitimate logins to go through as normal. CDNetworks offers Bot Shield(机器人防护与管理), a cloud-based bot management solution that can identify malicious bot traffic including those from credential stuffing and send notifications for you to take immediate action.
Besides, some solutions such as CDNetworks Application Shield(DDoS防护及Web应用防火墙) can also integrate web application firewall (WAF) with a content delivery network (CDN) to protect against credential stuffing attacks.