Editor's note: This is second in a series on credential stuffing, from large-scale breaches through remediation. You can read the first installment here.
Negligence, data breaches and other cyber incidents supply sensitive data cybercriminals will sell on the dark web. Many of the buyers are after very specific data: credentials that give them easy access to corporate and personal accounts.
"The first active step in any cyberattack is gaining an initial foothold," said Joseph Carson, chief security scientist and Advisory CISO at ThycoticCentrify.
Attackers gain their foothold, not through hacks into a network, but by using stolen credentials under the guise of an authenticated trusted employee or third party. Once they gain access, attackers search undetected to find high-valued assets before striking with a more malicious attack, such as malware or ransomware.
"The first step for an attacker deploying ransomware is gaining access to privileged accounts. With a privileged account, they can cause much greater damage forcing the victim into a hard decision on whether or not to pay the ransom," said Carson.
The increase of credential stuffing
In 2020, there were 193.5 billion credential-based attacks, according to Akamai's State of the Internet report. This was a dramatic increase from the 47.7 billion attacks in 2019.
"Once these compromised credentials were in circulation, they were sorted and tested against brands across the internet," the report said.
This is just a fraction of the actual credential-stuffing landscape. It is impossible to see every attack or threat, and credential stuffing is already a stealth attack. The 193 billion number is what Akamai was able to account for in 2020 — the real number is much higher because it's undetected.
Leveraging the attacks
Successful credential stuffing attacks are based on volume. Malicious actors push through many accounts at once and through a trial-and-error principle, they hope to make a direct hit.
"In this method, they utilize specialized software to exploit stolen credentials at very high speed into the sign-in page, which is also known as 'password reuse,'" said Anurag Gurtu, CPO with StrikeReady.
The threat actor can't do it alone; they rely on bots to do the heavy lifting. The bots are able to attempt logins across dozens, hundreds, or thousands of access points at a time, while spoofing IP addresses to avoid detection. They monitor the process for successful login attempts, and they begin the search for valuable data.
"Credential stuffing is a type of brute-force attack in which hackers stuff millions of user ID and password pairs at high velocity into the target website," said Gurtu.
The information around successful hits is collected to use in the future for other credential stuffing opportunities. This is where password-reuse haunts users and companies. Threat actors know these credentials will lead to more successful attacks.
The risks surrounding credential stuffing
Credential stuffing presents different risks. Because it is technically a data breach, all data privacy regulations are enforced. Regulators will fine companies, which could cost millions of dollars. That doesn't include the millions of dollars and hundreds of human working hours needed to remediate the attack. Security and IT teams need to dig deep to truly understand the full impact of the attack and what data was potentially compromised.
There is also brand damage that surrounds any data breach. Large breaches are fodder for national news outlets, but most states (and data privacy laws) require informing consumers if and how their data was compromised.
Once threat actors have any credentials, they theoretically have access to the entire organization, and then they are able to steal valuable or confidential data, according to Bassam Al-Khalidi, founder and co-CEO of Axiad. "Hackers can disrupt a single business and impact society as a whole."
Limiting a cybercriminal's ability to access credentials or using passwordless systems are gaining popularity as prevention, but defending against credential stuffing attacks may require some new arsenal in the cybersecurity toolkit.