Credential stuffing is a growing threat. It is not new, but for many companies it is treated as annoying background noise that can be absorbed by bandwidth, handled by access controls, and ignored. New figures suggest that this is a bad approach.
Credential stuffing typically uses bots to test many hundreds of thousands of stolen credential pairs against fresh targets. It doesn't afford a high return for the attacker, but it is a low cost, low risk attack that occasionally hits the jackpot. The attacker is relying on users' habit of reusing the same password across multiple accounts.
It isn't clear exactly where the credentials come from -- but there have been dozens of major breaches, hundreds of minor breaches, and an unknown number of unreported breaches over the last few years -- and we know that criminals aggregate stolen databases and sell them on. We are usually told that stolen passwords have been hashed; but since credential stuffing can only happen with plaintext passwords, either some of the databases were never hashed, or that hashing is not as secure against cracking as we would like to believe.
Organizations can impose 'browser checking' controls at the data center to block bad bot attacks -- but such controls require complex to-ing and fro-ing between the visitor and the website that can introduce disturbing latency for the visitor. Given web surfers' well-documented impatience when attempting to access a site, many organizations simply don't bother, and rely on bandwidth to absorb any malicious login attempts rather than impose unwanted friction on genuine visitors.
There are third-party companies that sit between the visitor and the website and filter out credential stuffing bad bot attacks. The closer these filters are to the location of the visiting IP, the smaller the latency introduced. Akamai is one of these -- and has published statistics on current levels of credential stuffing experienced from some of its customers.
Financial and retail sectors are the most targeted simply because that's where the online money is to be found. In its 'State of the Internet/security -- Credential Stuffing Attacks' report (PDF), Akamai focuses on the experiences of just two financial sector customers. The first is a very large financial services institution, while the second is a much smaller credit union bank.
"Credential Stuffing is growing fast," Rich Bolstridge, chief strategist for financial services at Akamai Technologies, told SecurityWeek. "In March and April 2018 we logged over 6 billion malicious login attempts. By May and June, this had risen to more than 8 billion attempts."
The attacks themselves tend to be low and slow to try to avoid tripping security alerts, or they can be simply volumetric mass attacks. Both example customers had received large scale attacks. "The large financial services institution suffered a major attack -- over 350,000 login attempts in one afternoon. They're accustomed to high volumes of real users coming to the site, but this was just an outrageous amount," said Bolstridge
The smaller credit union had a lesser attack, but one that still had a major effect on traffic volumes. "The credit union usually receives close to a thousand good logins per hour, but during this attack they saw a ten-times spike in that volume -- over 8000 attempted logins per hour that were malicious."
Some customers find themselves under multiple simultaneous attacks. Bolstridge described one example where the customer investigated a suspected stuffing attack only to find that three separate bots were attacking at the same time.
It isn't clear why attacks can be set as high as the one against the financial services institution. Some attacks do short bursts polling around multiple targets in order to stay under the radar -- but an attack of 350,000 attempted malicious logins in one afternoon will automatically attract the attention of admins. The site will immediately be on alert to the potential for financial fraud following the login attempts, should one or more be successful. It may be that the attack itself is merely to find validated credential pairs that can be sold on in the criminal forums. There is no immediate intent to make use of the credentials, but they are sold to criminals who will do so at a later date.
Or it could be that the attackers simply don't know how to control the bot to deliver low and slow. Either way, a large credential stuffing attack can get perilously close to a DDoS attack.
"I think the real impact to an institution is twofold," explained Bolstridge. "Firstly, it's the sheer volume of the attacks. For example, with the large financial institution, the volume got so high that it impacted the performance of the website as a whole; and therefore the user experience for all genuine users. In some cases, our customers have reported that it can actually impact availability when things get really out of hand. In a sense, these attacks are getting like a DDoS." So, user experience and availability are problems from major stuffing attacks.
"The second problem," he continued, "is the potential impact to the organization as a whole. If fraudulent money movement follows a successful malicious login, incident detection, remediation and response become a huge distraction to the business as a whole."
One solution to the problem would be the use of cloud-based bad bot blockers, such as Akamai's own Bot Manager. But Bolstridge would also like to see improved threat information, especially within the finserv sector. Some information sharing already exists, but it is largely confined to the major banks and institutions. He would like to see this expanded to include the smaller institutions.
"Without the larger institutions sharing their own threat information with the smaller ones," he told SecurityWeek, "the smaller ones may never know that they are under a low and slow credential stuffing attack. The larger banks do talk to one another -- but this needs to be expanded to general threat information sharing across the whole sector."
Related: Credential Stuffing: a Successful and Growing Attack Methodology
Related: Spring 2018 Password Attacks