Skip to content ↓ | Skip to navigation ↓

Recently, the Securities and Exchange Commission’s exam division issued a Risk Alert (the “Alert”) where it carried out several targeted cybersecurity investigations. The agency is now concerned with how there’s been an increase in a specific type of hack known as “credential stuffing.“

This cyberattack involves using stolen credentials to log into web-based systems and issue the unauthorized transfer of client funds.

In this article, we’ll go into greater detail about credential stuffing and discuss ways to help you detect and prevent this type of attack.

What do we mean by “credential stuffing attacks”?

Credentials stuffing involves malicious hackers obtaining user credentials through breaches and then using the compromised data to get access to a system. It’s a very effective cyberattack method that uses automation and scaling bots.

Cybercriminals take advantage of the fact that users tend to use the same usernames and passwords across multiple services. This assumption is right to some extent. According to stats, approximately 0.1-0.2% of breach credentials can lead to a successful login when tried from another service.

Over the years, the security community has witnessed the appearance of several sophisticated bots that can simultaneously attempt multiple logins – each originating from other IP addresses. The fact that they can break through straightforward security measures, such as prohibiting entry from IP addresses that has too many failed logins, makes it a significant threat for us.

It’s also why adopting a multi-layer approach has become a necessity when it comes to ensuring software security and keeping critical data safe. For example, you can invest in DAST security tools or the act of running your applications on a web server with the purpose of locating any vulnerabilities as the application is being run. The availability of massive databases of breach credentials is another vulnerability you should consider.

How do credentials stuffing cyberattacks work?

Credentials stuffing has a very similar pattern to a brute force attack, but there are several key differences, as well.

While the latter is likely to succeed when users choose easy-to-guess passwords, the former is much more sophisticated since it takes advantage of users sharing passwords – even when they’re strong – across services, which leads to a compromise.

To carry out large-scale credentials stuffing attacks, the malicious hacker uses a bot that can fake different IP addresses and enter into multiple user accounts automatically in parallel.

They follow this up by executing an automated process to check whether the compromised user credentials work on multiple websites in parallel. This, in turn, allows them to eliminate the need to log into a single device several times.

For every successful login, the cybercriminal can get access to personal information, credit card information and other useful data from the hacked accounts. Additionally, they can either keep the personal information to use it in the future (commonly to launch more elaborate phishing attacks) or carry out other unauthorized activities through the compromised device.

The most effective way to curb the efforts of bad actors is to adopt a precautionary approach. Online platforms that require a password should carry out routine security checks to identify and patch vulnerabilities like in the case of Zoom.

Warning signs to detect credential stuffing attacks

Credential stuffing is regarded as “the biggest collection of beaches“ where cybercriminals compile hundreds of millions of stolen records and share them for free on hacker forums.

This is precisely why you should be aware of the warning signs as soon as possible. Some of these include the following:

  • Track notable site traffic changes, especially multiple login attempts on multiple accounts within a limited time frame.
  • Find out if there has been a significant increase in site traffic and take note of any recorded downtime caused by it.
  • Carefully analyze use cases when you see a higher than usual login failure rate.

We would also recommend using bot screening to stop the armies of bots sent by malicious hackers. You see, while the above warning signs are a good place to start, it isn’t 100% foolproof. However, when you have a sophisticated screening technology that can easily detect malware on new devices, your chances to prevent cyberattacks grow.

Best practices to prevent credential stuffing attacks

The good news in all this chaos is that you can prevent credentials stuffing attacks – provided you’re aware of the red flags.

Here are a few handy ways to keep your business and customer data fully secure:

Set a strong password

Luckily, people are more open than before to practice good cyber hygiene such as using a VPN to continue secure and anonymous browsing or avoiding spam emails. Despite this, their user password habits still need a lot of improvement.

Start by setting strict password complexity rules for all your password input fields. Using a password manager is vital, as it’s going to sync across all of the devices you have. Choose a strong password that will allow you to access the password manager. Ask your users then to incorporate special characters and numbers. Also, go for longer lengths.

Moreover, if any user’s passwords resemble that of a data breach, you can ask them to create new passwords to avoid any problems in the future. You can also send them useful tips on building stronger passwords when sending emails.

Set up multi-factor authentication

Multi-factor authentication, also known as two-factor authentication, should be enabled on every account, so you should take the necessary initiative to make this function available to users. Doing this will add another layer of security, making it more difficult for cybercriminals to penetrate the system.

Embed security into website design via CAPTCHA

Captcha is an excellent way to differentiate your real users from bots, which is why it can provide the best defense against credential suffering attacks.

That said, we also have to point out that solving CAPTCHAs can be automated, too. Many businesses pay people to solve CAPTCHA by clicking on those traffic light pictures.

To avoid falling prey to automated CAPTCHA solving, you can use reCAPTCHA instead. This is available in three versions:

  • An “invisible“ box, which is displayed only for suspicious users.
  • An “I‘m not a robot“ checkbox.
  • A “V3“ version that can evaluate users on the basis of their behavior and reputation.

Set up a passwordless login, if possible

Once malicious hackers successfully break through your system, they can deny access to your customers, restricting them from using their own resources. Since the entire basis of credentials stuffing lies in obtaining information through password vulnerabilities, why not remove them altogether?

You can use passwordless authentication, which is a much safer way to authenticate users, to ensure more confined access into their accounts.

Implement risk-based authentication (RBA)

RBA calculates a risk report according to a predefined set of rules, which can be related to anything – a login device, user identity details, geo velocity or geolocation, IP reputation, data sensitivity, personal characteristics and so on.

This type of authentication can be useful to curb high-risk scenarios by allowing your customers to use customizable password security.

Wrapping up: Prevention is always better

Cybercriminals are always coming up with creative ways to compromise your data and use them for their personal benefit – whether it’s disguising a malware attack as updates on President Trump’s coronavirus illness or launching new strategies to avoid detection. Credential stuffing is just another variation on the list.

Even if you’ve been secure from the cyber-attack until now, you must take the necessary measures to protect your website by looking for warning signs. Try to avoid using devices that are dependent on residential connectivity and implement required policy updates to raise awareness about this new risk type.


Sam BocettaAbout the Author: Sam Bocetta is a freelance journalist specializing in U.S. diplomacy and national security with an emphasis on technology trends in cyberwarfare, cyberdefense, and cryptography.

Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc.