Virtual Event Today: Supply Chain Security Summit - Join Event In-Progress

Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Application Security

Credential Stuffing: a Successful and Growing Attack Methodology

With a database of 1 million stolen credentials, criminals using a credential stuffing attack with a tool such as Sentry MBA could expect to compromise roughly 10,000 accounts on a targeted but uncompromised site. In 2016, 3.3 billion user credentials were spilled onto the internet, according to figures from Shape Security’s just released 2017 Credential Spill Report.

With a database of 1 million stolen credentials, criminals using a credential stuffing attack with a tool such as Sentry MBA could expect to compromise roughly 10,000 accounts on a targeted but uncompromised site. In 2016, 3.3 billion user credentials were spilled onto the internet, according to figures from Shape Security’s just released 2017 Credential Spill Report.

Credential theft occurs when attackers breach a system and steal users’ access credentials — usually ID and password. The ID is most commonly the user’s email address. Credential spilling is when those credentials are made available to other criminals. Credential stuffing is the large scale use of automated means to test stolen passwords against other unrelated websites.

It is made possible because of the tendency for users to recycle their passwords for multiple accounts. This means that if criminals can crack stolen passwords from one account, they have legitimate credentials that have quite likely been used on other accounts. 

Consider the two Yahoo breaches reported in 2016. A total of 1.5 billion credentials were spilled to the Internet, protected by the weak MD5 hashing algorithm. The thefts took place in 2012 and 2013, giving the criminals up to four years to crack weak protection. Occurrences like this mean that criminals have vast troves of legitimate user credentials — and user password recycling means that many will have been used on other accounts. “The sheer scale of the credential theft and also the prevalence of Yahoo users’ accounts suggests that these stolen credentials have been benefiting cybercriminals over the past few years,” suggests the Shape report (PDF).

Simple brute force testing to discover where spilled passwords may have been reused is easily defeated. Web sites invariably have defenses that will detect repeated login attempts from the same IP address, or multiple failed attempts at the same account — and simply block them.

Now consider credential stuffing. The term was coined by Shape Security co-founder Sumit Agarwal when he was serving as Deputy Assistant Secretary of Defense at the Pentagon. It is the combination of source credentials, an attack tool such as Sentry MBA, and a botnet delivery method. Sentry MBA cycles through the botnet to probe a target website with the spilled credentials. Since each IP within the botnet tries only one credential attempt at a time, there is nothing at the target end to suggest anything different to a normal user login attempt — which either succeeds or fails. Even if an attack is suspected, Sentry MBA has moved on to the next botnet IP and blocking the suspect IP has no effect.

Sentry MBA provides various techniques to defeat other defenses — such as built-in optical character recognition to solve CAPTCHA challenges.

Shape’s figures suggest that the criminal return on credential stuffing can be anything between 0.1% and 2%. This implies that for every 1 million stolen credentials used by the criminals, an average of 10,000 accounts could be accessed because of user re-use of passwords.

Credential stuffing is not an arcane attack method — it is widely and increasingly used. For example, Shape reports, “In one week, cybercriminals made over five million login attempts at a Fortune 100 B2C website using multiple attack groups and hundreds of thousands of proxies located throughout the world.” On another occasion, “During one day, a large retailer witnessed over 10,000 login attempts using over 1,000 proxies.”

Nor are stolen credentials difficult to find. Some are simply dumped on the internet, given away free by hackers who hack for fun, or by others wishing to build a reputation. That reputation is necessary to gain access to, and do business on, some of the dark web credential marketplaces such as Cracking-dot-org, Crackingking-dot-org and Crackingseal-dot-io.

The result is an attack methodology that is easy and effective, and can be operated by any person with just the merest of technical skills. It involves just five steps: obtain the stolen credentials; choose a target; create an automation script to recognize whether the login attempt succeeds or fails; use a configurable credential stuffing tool such as Sentry MBA that can bypass controls such as WAF and CAPTCHA; takeover accounts and steal assets.

Shape Security is predicting that credential stuffing will become a major issue during 2017 as the 3.3 billion credentials spilled in 2016 (there may be more that we don’t yet know about) work their way through the criminal system. The ultimate solution to the problem is simple: users must never reuse existing passwords. Ensuring that has so far been beyond both business and the security industry. In the meantime, business must seek other methods to protect against this growing threat.

Shape Security emerged from stealth mode in January 2014. One month later it announced that it had raised $40 million in a Series C funding round. In January 2016 it raised a further $25 million in a Series D funding round.

Written By

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.

Register

Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.

Register

Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Cybercrime

Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.

Cybercrime

The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.

Cybercrime

Satellite TV giant Dish Network confirmed that a recent outage was the result of a cyberattack and admitted that data was stolen.

Cybercrime

The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Application Security

PayPal is alerting roughly 35,000 individuals that their accounts have been targeted in a credential stuffing campaign.

Cybercrime

No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.

Application Security

GitHub this week announced the revocation of three certificates used for the GitHub Desktop and Atom applications.