The firehose of security incidents – data breaches, ransomware, and supply chain attacks – often obscures the methods that attackers use to create these incidents. One of the most common is credential stuffing, which is a type of authentication-related attack that leads to account takeovers (ATO) and ultimately theft or fraud.
So, what is credential stuffing? Simplistically, it’s when attackers use credentials obtained from previous attacks to try and log into websites, counting on the fact that people often re-use their passwords on multiple sites or applications. In truth, credential stuffing is one of several common types of authentication-related attacks that also includes brute force and password spraying. The Open Worldwide Application Security Project (OWASP) does a great job of explaining these attacks, but a brief summary follows.
Credential Stuffing
Credential stuffing relies on the fact that people are creatures of habit, and all too often re-use their passwords for multiple web sites and applications. The bad guys know from experience that taking known-good credentials from one website and applying them to another yields reasonable success rates. Credential stuffing is one of the most common methods for performing account takeover (ATO).
Brute Force
As the name implies, brute force is when attackers try many passwords against a single account, hoping to “guess” the right one. Often, the attackers are working from a gigantic list of passwords from a successful phishing campaign or other data breach, commonly-used passwords, or even randomly created values. Automated bots are used to perform these attempts at high speed, as millions of combinations are attempted.
Password Spraying
Password spraying is a different sort of brute force attack in which the attacker repeatedly attempts to use a single password against many accounts. You’ve probably encountered web sites where you are locked out of your account if you mistype your password more than 3 or 4 times in a short period of time. This automated attack recognizes this situation, and only tries the password once, but does so against as many accounts as possible to see where they can get in. Often, common or default passwords are used.
What Happens When Credential Stuffing Succeeds?
Successful attackers can take several different paths. If they’re going to use the account themselves, such as to drain it of stored value or make fraudulent purchases, they will typically change the password to maintain control of the account. Perhaps the account has stored credit cards or other useful associated data. They can use the account as a pedigreed source from which to launch phishing messages or spam. And of course, at the end of the day, these accounts can simply be sold to the highest bidder.
Time is of the Essence
When obtained as part of a dump of stolen data, the credentials need to be validated to establish their value. However, if the credentials are from a known compromise, the impacted organization will typically force a password reset, and the impacted users would be notified, and forced to reset their password. Since the attackers need to gain control of the accounts quickly, they often use login and mobile APIs, which are much faster and easier to automate than using the application user interface.
Why are APIs Frequently Targeted for Credential Stuffing?
Attackers seek out APIs for credential stuffing attacks for several reasons. Applications are still targets for these types of attacks, but there are countermeasures available such as CAPTCHAs which are successful at preventing most credential stuffing attacks (even if they add customer friction and frustration). However, APIs don’t support JavaScript integration for countermeasures such as CAPTCHAs. Additionally, APIs are designed for automation and speed, making them a prime target for attacks like credential stuffing.
Why Aren’t Existing Solutions Preventing Credential Stuffing Attacks?
Most traditional credential stuffing countermeasures either rely on blocking IP addresses the attacks originate from or rely on CAPTCHAs or other methods that introduce customer friction. Attackers are now using large pools of IP addresses to launch attacks from, including residential IP addresses through residential proxies. For most businesses, blocking these IPs or IP ranges is untenable as it would directly affect legitimate business and frustrate customers. CAPTCHAs introduce customer friction and don’t work with APIs. A more intelligent solution that works for applications and APIs is needed.
The Cequence Approach
Rather than rely on IP-based blocking, friction-inducing CAPTCHAs or other inline JavaScript, or mobile SDKs that have to be integrated into the app and retested, Cequence uses Threat and Entity Behavior Analytics to identify and track automated attacks such as credential stuffing. While the IP address is a factor, Cequence combines that information with additional intelligence about the attacker’s infrastructure (e.g., Bulletproof or residential proxies), tools, and credentials to accurately identify attacks without affecting legitimate customer traffic. Once the attackers are identified, Cequence provides several options for mitigation including logging, tagging, rate limiting, deception, and blocking.
Read a case study to learn how Cequence blocked over 500,000 account takeover attempts as a result of credential stuffing and saved over $1.6 million in potential account losses at a large, national pizza chain. If you’re ready to learn how Cequence can help your business, reach out and schedule a call with us.
Sign up for the latest Cequence Security news
By clicking Subscribe, I agree to the use of my personal data in accordance with Cequence Security Privacy Policy. Cequence Security will not sell, trade, lease, or rent your personal data to third parties.
