The Anatomy Of A Credential Stuffing Attack

By   Katrina Thompson
, Bora | Oct 21, 2021 03:03 am PST

While data breaches might be a heist best left to the experts, credential stuffing is a poor-man’s sport. And it’s a pretty popular game. In a 2020 report, RSA recognized it as “gaining tremendous momentum” and cited the then-recent breaches (Marriott, Capital One, Equifax) as providing the fodder used in those attacks – your usernames and passwords. Credential Stuffing Attacks (CSAs) complete the cycle, really. What good is a data breach if you don’t utilize the data? Credential stuffing uses (and overuses) the contraband credentials to try to access other accounts of yours – assuming you use the same password.

Called “the most popular way to obtain compromised credentials for account takeover,” CSAs are ubiquitous enough to require you to take action or eventually risk being a victim. Coming in all varieties, CSA entrepreneurs have their specialties – some to take over accounts, other to steal data, but their attacks are non-discriminating. So, at the risk of making this an effective “how-to” manual for rookie threat actors, let’s delve into the basics of what constitutes the increasingly popular credential stuffing attack – and how to avoid it.

What is a credential stuffing attack?

The OWASP describes credential stuffing as “the automated injection of stolen username and password pairs (“credentials”) in to website login forms, in order to fraudulently gain access to user accounts.” In other words, automating lists of stolen logins to “brute force” an entry, and doing nefarious things once access is obtained.

How is credential stuffing different from a brute force attack? It’s the easy-bake version. A proper brute force attack goes through all the hard work of guessing usernames and passwords from scratch (algorithmically “brute forcing” the logins), while credential stuffing comes with a list of conveniently pilfered and proven legitimates – ready for launch at an unsuspecting API or account gateway. This list is often obtained through a data breach with the purpose of finding accounts that are re-used across multiple sites.

In January of last year, RSA released a document highlighting the “credential stuffing gold rush.” The resources are nearly free (due to dark web downloads and availability), it doesn’t take much technical skill, and you have a 0.5 – 3% success rate – not bad, in this line of work. And the obvious defenses, like rate limiting, won’t work against more sophisticated forms of credential stuffing attacks, such as those targeting APIs. Easy-to-access credentials are another major factor contributing to the rise of these automated attacks. In the early days, a hacker’s hot goods were jealously hoarded or respectably hawked on the dark web. However, it would seem a great deal of respect for the craft has been lost as 2019 saw 2.2 billion records released into the wild – for absolutely free. Nowadays, it’s common to see logins languishing in the backwaters of Tor with no price tag. This dark web camaraderie is one magnanimous step for hackers, but one giant step back for the rest of us.

What is the anatomy of a credential stuffing attack?

While some sources break it down into multiple detailed stages, here are the basic ingredients of a CSA:

  • Combolists

Attackers gather their combolists – those leaked username and password databases lurking on the internet. They’re hoping many of those passwords have been reused, and many are – hence the source of success for CSAs.

  • Credential stuffing tools

Bad actors can increase the likelihood of landing a match by downloading publicly available tools that will let them know which passwords belong to which sites. Throttling can help attacks fly under the radar, by limiting the amount of times a botnet can send out an authentication attempt. Do it too many times and the account is locked out – or, your behavior raises a red flag.

  • The payload

Once an attempt has been successful, the criminal will use the authenticated access to exfiltrate data, raise or take advantage of permissions, impersonate legitimate businesses and transfer funds, for example, or resell the account credentials at an inflated cost, knowing them now to be legitimate. Obviously, the negative opportunities upon entry are myriad.

  • Continuous improvement

If there is honor among thieves, there is also professionalism. Not wanting to waste a good day’s work, CSA attackers have their own version of the CI/CD loop as they mark which logins were a failure, excluding them from the next run and making the operation ever narrower and more efficient as time goes on.

How can I prevent a credential stuffing attack?

Credential stuffing attacks operate on the hope that users reuse their passwords – which 65% of users do, according to Google. So, the solutions are easy.

  • Use a different password on each account. A secure password is still vulnerable if you’ve used it more than once.
  • Use a password manager to keep all of your logins distinct.
  • Multi-Factor Authentication can provide a barrier between your account and an enterprising opportunist. While not totally effective, MFA can discourage a lazy attacker. And, according to Auth0, Single-Factor Authentication is a leading cause of CSA success.
  • Behavioral analytics help your organization establish a baseline, making irregular and illicit behavior – such as multiple attempts within the same hour – easier to distinguish. 

We have only ourselves to blame when so much – indeed, all – of the strategy behind CSAs capitalizes on personal negligence. It doesn’t “crack” the code of our personal logins – it merely reuses them in the hopes that we’ve used the same key in multiple places. While we have less control over the data breaches that landed our credentials in bad hands to begin with, it is possible to mitigate a CSA attack by using distinct, secure passwords on every site you use – and change the one that got compromised.

Notify of
0 Expert Comments
Inline Feedbacks
View all comments

Recent Posts

Would love your thoughts, please comment.x