Credential Stuffing: a Successful and Growing Attack Methodology

With a database of 1 million stolen credentials, criminals using a credential stuffing attack with a tool such as Sentry MBA could expect to compromise roughly 10,000 accounts on a targeted but uncompromised site. In 2016, 3.3 billion user credentials were spilled onto the internet, according to figures from Shape Security’s just released 2017 Credential Spill Report.

Credential theft occurs when attackers breach a system and steal users’ access credentials — usually ID and password. The ID is most commonly the user’s email address. Credential spilling is when those credentials are made available to other criminals. Credential stuffing is the large scale use of automated means to test stolen passwords against other unrelated websites.

It is made possible because of the tendency for users to recycle their passwords for multiple accounts. This means that if criminals can crack stolen passwords from one account, they have legitimate credentials that have quite likely been used on other accounts. 

Consider the two Yahoo breaches reported in 2016. A total of 1.5 billion credentials were spilled to the Internet, protected by the weak MD5 hashing algorithm. The thefts took place in 2012 and 2013, giving the criminals up to four years to crack weak protection. Occurrences like this mean that criminals have vast troves of legitimate user credentials — and user password recycling means that many will have been used on other accounts. “The sheer scale of the credential theft and also the prevalence of Yahoo users’ accounts suggests that these stolen credentials have been benefiting cybercriminals over the past few years,” suggests the Shape report (PDF).

Simple brute force testing to discover where spilled passwords may have been reused is easily defeated. Web sites invariably have defenses that will detect repeated login attempts from the same IP address, or multiple failed attempts at the same account — and simply block them.

Now consider credential stuffing. The term was coined by Shape Security co-founder Sumit Agarwal when he was serving as Deputy Assistant Secretary of Defense at the Pentagon. It is the combination of source credentials, an attack tool such as Sentry MBA, and a botnet delivery method. Sentry MBA cycles through the botnet to probe a target website with the spilled credentials. Since each IP within the botnet tries only one credential attempt at a time, there is nothing at the target end to suggest anything different to a normal user login attempt — which either succeeds or fails. Even if an attack is suspected, Sentry MBA has moved on to the next botnet IP and blocking the suspect IP has no effect.

Sentry MBA provides various techniques to defeat other defenses — such as built-in optical character recognition to solve CAPTCHA challenges.

Shape’s figures suggest that the criminal return on credential stuffing can be anything between 0.1% and 2%. This implies that for every 1 million stolen credentials used by the criminals, an average of 10,000 accounts could be accessed because of user re-use of passwords.

Credential stuffing is not an arcane attack method — it is widely and increasingly used. For example, Shape reports, “In one week, cybercriminals made over five million login attempts at a Fortune 100 B2C website using multiple attack groups and hundreds of thousands of proxies located throughout the world.” On another occasion, “During one day, a large retailer witnessed over 10,000 login attempts using over 1,000 proxies.”

Nor are stolen credentials difficult to find. Some are simply dumped on the internet, given away free by hackers who hack for fun, or by others wishing to build a reputation. That reputation is necessary to gain access to, and do business on, some of the dark web credential marketplaces such as Cracking-dot-org, Crackingking-dot-org and Crackingseal-dot-io.

The result is an attack methodology that is easy and effective, and can be operated by any person with just the merest of technical skills. It involves just five steps: obtain the stolen credentials; choose a target; create an automation script to recognize whether the login attempt succeeds or fails; use a configurable credential stuffing tool such as Sentry MBA that can bypass controls such as WAF and CAPTCHA; takeover accounts and steal assets.

Shape Security is predicting that credential stuffing will become a major issue during 2017 as the 3.3 billion credentials spilled in 2016 (there may be more that we don’t yet know about) work their way through the criminal system. The ultimate solution to the problem is simple: users must never reuse existing passwords. Ensuring that has so far been beyond both business and the security industry. In the meantime, business must seek other methods to protect against this growing threat.

Shape Security emerged from stealth mode in January 2014. One month later it announced that it had raised $40 million in a Series C funding round. In January 2016 it raised a further $25 million in a Series D funding round.