top of page

Credential Stuffing

Updated: Jul 11

Credential stuffing is still a popular cybercrime. What is it and what makes it so popular?


Kill chain showing credential stuffing

 

What is it?

Credential stuffing (AKA “cred stuffing”) is a type of cyber attack in which username and password pairs (“credentials” or “creds”) obtained from one source are attempted against other sites and systems. Criminal actors, sometimes referred to as Cred stuffers, use automation to test large numbers of known credentials against various target systems, typically done systematically with credential testing tools that include proxies and bots. The goal of the cred stuffer is to find valid credentials - ones that can successfully access the target system.


Why does it work?

Credential stuffing works because people use the same username and password combinations on multiple sites. A valid credential at one site is likely to be valid at one or more other sites.


Cred stuffing is effective because it is relatively easy to deploy on a large scale and can be difficult for targeted organizations to detect. It can appear to be a temporary distributed denial of service (DDoS) attack. Cred stuffing attacks leverage botnets and automation tools to include “IP hopping” capabilities, making the attack harder to detect because the traffic comes from multiple sources. Most companies don’t make use of fraud detection tools at login and won’t make a connection that a cred stuffing testing event is “bad” unless it ends up in a loss event or Account Takeover (ATO) for them.


While DDoS attacks may persist for reasons that defy logic, stuffing attacks only persist for one reason: Because they are successful at monetizing validated credentials with an acceptably low corresponding effort.” Lawrence Baldwin, CIO myNetWatchman

 

Why do criminals do it?

The short answer is because it's profitable. Credential stuffing attacks are successful at monetizing validated credentials with an exceptionally low corresponding effort.


  • Low input costs - Creds are cheap and readily available on the dark web from data breaches, phishing attacks, or keylogging malware. The supply of creds is literally in the billions. Additionally, cred stuffing automation tools are available for criminals who don’t want to create their own.

  • A lot can be done with little effort - An automation or bot can run thousands or millions of credentials in a relatively short amount of time. Some criminals also automate password iterations, like adding digits to the end of a current password to generate additional passwords. Think your site is protected by that password policy that forces a number? A cred stuffing bot can be designed to append a “1” at the end of each known compromised text-only password, for example.

  • Easy to monetize - The cred stuffer can use the successful credentials themselves to commit various types of ATO related fraud, like siphoning stored value, stealing other user data, fraudulent purchasing, funds transfer, etc. Cred stuffing increases the value of the inexpensive creds they purchased on the dark web. Or they can act as a middleman, simply selling the successful credentials to other criminals at a higher price for the guarantee of success.

 

“The main reason cred stuffing works is because people use the same username and password on multiple sites. A valid credential at one site is highly likely to be valid at another site.” Lawrence Baldwin, CIO myNetWatchman

 

Even though the success rate of credential stuffing is low (typically less than 1%), the low entry costs, high volume of playable credentials, and high usefulness of a valid credential make the effort worthwhile. Think of cred stuffing as a way to add value to a massive data set of stolen creds by providing a smaller set of stolen creds that are active and knowing where to use them.


Organizations should be looking for credential stuffing attacks to keep accounts safe and limit damage from potential ATO. myNetWatchman’s web monitoring service alerts companies when live credential testing is being seen live on their site, not just notifying them that it is happening but specifying what accounts are being impacted. This is valuable and actionable information about credentials that are being presented in real-time, not just credentials known to have been compromised in a breach.


In the small client case study below, you can see criminal tactics and that credential re-use by individuals helps criminals.


myNetWatchman real time monitoring can detect credential stuffing earlier

Identifying Credential Stuffing

Many organizations don’t realize credential stuffing is an issue because they don’t recognize that it’s occurring. Symptoms include a high volume of unsuccessful login attempts, a large number of successful logins followed by no subsequent activity, as well as tumbling and swapping attempts. Tumbling involves slight variations to the password on subsequent login attempts, such as trying “Qwerty1”, “Qwerty123” and other variations after the compromised password “Qwerty” did not work.


A high volume of successful logins followed by no further activity is likely to stay under the radar for most organizations, but it is indicative of a criminal actor testing credentials to sell on the dark web to others. Similarly, an organization might see a series of actions taken after the login attempt, such as going to the user profile or edit user details page to scrape other information that may be included there, such as name, phone number and physical address.


Organizations should not just assume that credential stuffing is not occurring if they haven’t actively looked for signs of it occurring. Even if actively looking, these signs can be difficult to uncover. It is critical to know when credential stuffing is happening and on what accounts. Organizations who do not have detection or mitigation strategies in place should consider a cybercredential assessment

 

Stuffing is costly to the targets

Credential stuffing can harm organizations with direct financial losses through fraudulent transactions, theft of intellectual property, or ransom demands for stolen data. The brand risks and loss of customer lifetime value associated with account takeover that results from cred stuffing is difficult to quantify, but undoubtedly large. There are likely other indirect costs associated with incident response, legal fees, and regulatory fines. “The Ponemon Institute's Cost of Credential Stuffing report found that businesses lose an average of $6 million per year to credential stuffing in the form of application downtime, lost customers, and increased IT costs.” Business guide for credential-stuffing attacks | New York State Attorney General


Users whose valid credentials were obtained through stuffing can suffer in many ways from account takeover (ATO). Depending on the account taken over, criminals can steal stored-value or gift cards, commit identity theft with stolen personal information, or create fraudulent transactions of all types. Consumers may also lose confidence in the provider because of the frustration of dealing with ATO, or blaming the provider for poor security practices.


Mitigating credential stuffing attacks is a way to protect consumers against themselves and their tendency to reuse creds across multiple sites. Consumers tend to conflate the issues or are unaware of the breach that compromised their creds initially, instead focusing that blame on the account or organization that allowed unauthorized access to their account.

 


86 views0 comments

Comments

Rated 0 out of 5 stars.
No ratings yet

Commenting has been turned off.
bottom of page