Credential stuffing sounds simple: attackers test stolen usernames and passwords across sites to see what works. After the hype and complexity of vulnerabilities like Heartbleed and Spectre, password reuse seems easy to dismiss. This has caused credential stuffing to become the most underrated attack of the 2010s and it hints at the future of application level attacks.
This class of attacks remained largely unchanged for years. There was no reason to change, they weren’t blocked. As adversity increased, attackers started to iterate faster, now bypassing defenses in a matter of months or even weeks. Dozens of companies, large and small, have tried to block credential stuffing attacks. Not a single, widely deployable defense – nothing – has seen lasting success without needing to evolve at the same speed.
Attackers aren’t leaving, the return on investment is just too high.
How credential stuffing works
Credential stuffing attacks distill lists of credentials into lists of valid accounts primed and ready for further attack. Any site that has a login is vulnerable. Most attackers start with sites they know how to monetize, either because there is real money to drain or they have a scam they’ve seen work before. Banks and retailers are obvious targets. Companies with gift cards are just banks with specific currency. Services with loyalty points (e.g. frequent flyer miles), stored value (e.g. prescription refills, coupons) or digital goods (e.g. video game skins) are hot, too. If there is a social component, then accounts can be used to phish, spam, boost or influence others. Every account has value. Fraudsters are creative.
The attacker then needs a list of credentials, distributed as “combolists.” Combolists are text files with thousands of username and password pairs, usually from credential spills. Getting combolists in the early days was not easy: novice attackers would need to find and join the right groups or breach credentials themselves. Now, popular hacking forums link to billions of spilled credentials for free.
While the majority of these credentials won’t work on most sites, they are just a starting point. Attackers feed combolists to programs that churn for days to produce a list of valid accounts. These tools range from legitimate developer programs like cURL or Puppeteer to attack tools designed with credential stuffing in mind like SentryMBA or SNIPR. Once an attacker has a list of valid accounts, they can sell them or jump straight into an account takeover. After accounts are drained, the credentials get resold for further abuse.
The ROI of automated attacks
At the heart of these attacks lies a financial question: will an attack result in more value than it costs to execute? Credential stuffing attacks against the Fortune 500 have less than a 2% success rate while success rates on smaller sites can be as high as 35%. Valid credentials are worth between a couple dollars to over one hundred on account marketplaces. With a 2% success rate, an attack with one million requests nets you twenty thousand accounts. Twenty thousand accounts sold at two dollars apiece is a lot of money even before any fraud takes place. The value is enticing, but how much does it cost to make a million requests?
At one request per second, one million requests would take almost two weeks. That’s feasible on a laptop with a residential internet connection. Attackers don’t need supercomputers or botnets to get started. Credential stuffing became popular because all it took were simple tools and equipment you already had. It was perfect: high value, low cost and — when proxied across the globe — untraceable. The cost has not increased much over the past two decades, either. New defenses increase the cost of entry but, as with all technology, cost reduces over time. Attackers generalize their techniques, developers create new tools, and legitimate advancements like cloud computing reinvigorate old tactics. The cost of credential stuffing remains low even today.
Defending against credential stuffing is a game of balancing user friction, budget, and manpower. This game has reached a fever pitch in the last five years. Internet companies continue to explode in value and the more user data they store, the more money an account is worth. Hundreds of credential spills over the last decade only add fuel to the fire.
How attackers evolved to imitate
Credential stuffing had seen years of unchecked growth up until the mid-2010s. In 2015, account takeovers got so bad that TurboTax suspended e-filing during tax season and the Open Web Application Security Project (OWASP) released the Automated Threat Handbook. Breaches were exploding and “credential stuffing” was the link between them and account takeovers.
In the years that followed, defenses got better and decreased the response rate to attacks from years to months. Even defenses that were simple in theory to bypass required non-trivial R&D to generalize. It was an unattractive cost. Either deliberately or via natural evolution, attackers shifted tactics from bypassing defenses to imitating legitimate users. When an attacker looks just-legitimate-enough, they become difficult to block en masse. This transition marked the start of what Shape Security now calls “imitation attacks”, attacks that replicate user behavior, environments, and qualities to bypass detection and pass risk assessment.
The future of illegitimate application use
Credential stuffing became popular because it is cheap and easy but it’s not the only unwanted automation that you need to worry about. Illegitimate or inauthentic traffic is one of the safest ways for criminals to experiment with new scams. There are very few laws that regulate this behavior so missteps only lead to, at worst, a banned account and not a prison sentence.
It is critical for teams to get visibility on these problems now, regardless of the company’s stance on credential stuffing. Some companies call this a “bot” problem. Social media businesses use the term “coordinated inauthentic behavior” but it’s another way to represent a similar issue. Even intelligent phishing proxies can now skin entire websites and act on behalf of a victim. Illegitimate application use is everywhere and no silver bullet defense exists.
The best defense we have starts with understanding your applications and users. Attackers don’t know exactly what your demographics are and how they act, but you do. It has never been more important to knock down data silos and get teams and systems talking to each other. Data engineers and scientists will be central to understanding how to organize and analyze your data for the next decade. That will take time and effort but the value will be greater than what any vendor can promise. Until you get there, a multilayered approach that combines internal analytics with one or two third party vendors will manage current attacks enough to keep your head above water.