Many types of organizations rely on myNetWatchman to help protect against credential stuffing and account takeover attacks, but user account security is especially important for financial institutions (FIs). In this article, we’ll explore a recent credential stuffing attack against a financial institution, where myNetWatchman observed this attack as part of our continuous, real-time monitoring. Bad actors tend to repeat their attacks and attack patterns against many FIs, and the intent of sharing this case study is to help others recognize and defend against similar patterns when they see a credential stuffing attack.
The credential stuffing attack detailed here occurred between June and August 2024, targeting a large financial institution with many consumer accounts. Let’s discuss some of the details of this attack and why these techniques and patterns are so common.
For readers less familiar with the basics of credential stuffing attacks, please read our previous Blog Post on Credential Stuffing.
It’s a high-volume numbers game.
Credential stuffing attacks systematically test credentials (email or username and password combinations) exposed via data breaches and phishing attacks to see where else the same credential pair may be used. Although it is expected that there will be a large percentage of failures, the idea is to identify the credentials that successfully provide access to the account to extract value from this more refined list. In this credential stuffing attack, myNetWatchman observed over eight million unique usernames attempted in a 6-week period.
Attackers cater to their targets.
The bad actors behind this attack took into account the fact that FIs, including this one being targeted, do not typically use email addresses as usernames. Nearly all of the more than eight million usernames attempted during this credential stuffing attack were non-email usernames.
The cred stuffing success rate is lower for FIs compared to eCommerce retail.
However, the damage or impact of account takeover is much greater for FIs than it is for eCommerce merchants. The success rate of this credential stuffing attack was 0.1 percent, or about eight thousand of the accounts tested. This FI supports two factor authentication (2FA), but was not presenting it for all logins. We are uncertain as to how many successful login attempts from the cred stuffing attack were presented or stopped by 2FA. However, even when 2FA stops the bad actors from gaining access to the account, they have confirmed that the credentials are valid. From that point they may use phishing techniques, SIM swaps or other techniques to gain control of the email address or phone number used for authenticating with 2FA.
You are rarely the first target of a credential stuffing attack.
Where AllCreds provides myNetWatchman clients deep value is in knowing that credentials being attempted against them are not only compromised, but have been seen in other credential stuffing attacks. As is typically the case, a majority of the successful (able to advance to be presented 2FA) credential pairs attempted against this FI were seen previously. Nearly nine-in-ten, or 86 percent, of successful credentials used in the cred stuffing attack were previously observed by myNetWatchman.
You often aren’t the first target in your industry either.
More than one-quarter, 26 percent, of the valid credentials used in this credential stuffing attack were previously observed by myNetWatchman as being used against other FIs. We know that consumers have a tendency to reuse passwords. Thankfully, many realize that they should use a more secure password for access to online banking than they do other online accounts. It may be that many consumers reuse the same password across multiple online banking logins and fraudsters are exploiting this fact by testing these compromised credential pairs across multiple FIs. Or it may be that the bad actors mine their compromised credential data set for non-email usernames and strong passwords, as these are more likely to be used for online banking. They don’t know what FIs the account holders bank with, so they target many with credential stuffing attacks.
It’s not a matter of if, but when.
FIs will see credential stuffing attacks because the ability to take over online banking accounts is valuable to fraudsters. 2FA may prevent account takeover, but the successful credential stuffing attack is valuable to the attackers who may later target that account holder with phishing or other schemes to try and beat or circumvent 2FA.
FIs need to be aware when credential stuffing attacks are occurring and know what online banking consumer accounts are using compromised credentials. myNetWatchman offers unique visibility into credential stuffing attacks, specifically as it relates to FIs. It is extremely valuable to know not only that the presented credentials are compromised, but that they are actively being tested. It is even more valuable to know that these credentials are actively being tested against other FIs.
myNetWatchman provides this visibility which offers high-quality and meaningful risk signals, all built on our continuously growing data repository containing over 30 billion exposed credential pairs that protects over 550 million users for our clients.
コメント