It’s bad enough when your personal details are stolen—but worse when they’re then used to break into another of your online accounts. Welcome to the shady world of credential stuffing where cybercriminals arm themselves with stolen credentials to gain forced entry to protected sites like your online bank account. Find out what makes credential stuffing effective and how you could accidentally be helping hackers. Above all, take steps to help protect your devices and digital identity with expert online protection from Avira Free Security.
What is credential stuffing and why is it a growing problem?
In simple terms, the name says it (nearly) all: Hackers steal credentials and ‘stuff’ these usernames and passwords into the login fields of online accounts hoping to gain access to these services. Credential stuffing is a type of common cyberattack that we all need to be aware of. Thankfully, there’s some good news: It’s largely preventable with the right security measures. Understanding how these attacks take place can help protect us.
So where do cybercriminals buy the data they need to launch these attacks? They take a deep dive online, of course. Entering accounts illicitly is called breaching and the dark web is awash with breached credentials for sale in illicit digital marketplaces. (The most infamous of these was probably Silk Road, which has since been shut down). You don’t head to these bazaars to buy preloved jackets. In the darkest reaches of the net, business is booming with literally billions of stolen username and password combinations openly available as plaintext (i.e.: unencrypted, readable text) to hacker shoppers. And the dark net is more than an e-commerce platform: It offers hackers opportunities to network and collaborate as they share tactics and hone their skills. There are entire economic ecosystems of the un-good down here: Some threat actors specialise in accessing accounts and others in committing fraud once that access is gained.
Data is new-age gold. As our world becomes increasingly digitised, it provides an endless supply of data and potential victims, giving cybercriminals plenty of opportunities to broaden their attacks. To give you an idea of the scale and scope, here are some of the largest data breaches in recent history:
- In 2013, the personal information of around 3 billion Yahoo users was exposed.
- Over an eight-month period in 2019, a developer working for an affiliate marketer gathered customer data from the Alibaba Chinese shopping website, Taobao, putting 1.1 billion pieces of user data at risk, including customer phone numbers.
- Also in 2019, two datasets from Facebook apps were exposed on the public internet, revealing information relating to more than 530 million user accounts.
- In June 2021, networking giant LinkedIn revealed that data associated with 700 million LinkedIn users had been posted on a dark web forum.
What are the mechanics of credential stuffing?
A typical attack follows this process:
Step 1: The attacker acquires usernames and passwords via a range of methods—website breaches, phishing or other social engineering attacks, by using an illegal online “dump site” (where millions of user credentials are freely available) or simply buying their wares in a darknet bazaar.
Step 2: The attacker tests the stolen login credentials on multiple websites (usually social media sites, online marketplaces, and web apps). Doing this manually would take far too long, so they rely on automated tools like bots or entire networks of botnets. These rapidly cycle through multiple user account logins simultaneously, while faking different IP addresses. If they successfully crack the right username/password, the attacker now has access, plus a set of valid credentials.
Step 3: Once the hacker has access, your digital world is their oyster. They can drain accounts of any stored value or make purchases. They might also gain hold of sensitive information such as bank details, a home address and even private pictures or documents. Using this information, they can embarrass or blackmail a victim or steal their identity and act online in their name—even applying for a credit card. Sometimes, threat actors use stolen accounts to send phishing messages or spam, or they’ll simply continue the cycle and sell the valid credentials for other attackers to use.
Speaking of selling, do you know what your data is worth on the dark net? As of April 2023, details of a credit card with up to 5,000 U.S. dollars on balance could sell for around 110 U.S. dollars according to Statista. A verified Airbnb account goes for as much as 300 U.S. dollars. To you, they’re mere login or personal details; to cybercriminals they’re a lucrative wish list.
How effective are credential stuffing attacks?
Remember the tale about giving monkeys typewriters and after a few hundred years of random typing, they will accidentally produce the works of Shakespeare? Credential stuffing is considered one of the most common techniques used to take over user accounts, so the sheer number of random attacks means that some will strike gold. Nevertheless, credential stuffing attempts have a very low rate of success statistically.
According to former Google click fraud specialist, Shuman Ghosemajumder, credential stuffing attacks have up to a 2% login success rate (at best). If those poor odds don’t sound worth it, consider this: One million stolen credentials can take over 20,000 accounts. Also, attackers can simply keep going and launch the same process with the same sets of credentials on numerous different services. All that’s required is time, patience…and advances in technology. Websites sometimes ban the IP addresses of users with many failed login attempts. Bots can cunningly circumvent this security measure by appearing to come from a variety of devices, so they look like ordinary web traffic.
In addition to armies of bots, online users can help fuel attacks with their own poor internet practices. Have you ever re-used passwords? One set of credentials could offer cybercriminals ripe pickings across multiple sites. As long as we’re lazy with passwords, we’re helping to perpetuate the problem.
A US report by Forbes Advisor, which polled 2000 respondents, revealed the scale of the weak password pandemic:
- 68% had to change their password across multiple accounts after their password was compromised.
- 42% of people only change their passwords when prompted instead of changing them regularly to avoid hacks.
- 35% believe their password was hacked because they had a weak password, while 30% believe it was due to repeatedly using the same password on multiple accounts.
- Social media accounts are the most popular target for password hacking, followed by email accounts.
Help is at hand. A password manager, like Avira Password Manager, can generate nearly impossible-to-crack passwords and helps store them in a secure online vault. You only need to remember one master password (you can do that) and it does the rest—even filling in your credentials online. Password managers are the indispensable online security tool that can make cybercriminal lives more miserable. Show no mercy and get one.
Credential stuffing vs other attack methods: What are the differences?
There are a few hacker scams that involve using or guessing user credentials. Not all are credential stuffing though. See the main differences in how these popular online scams work and what their goals are:
Credential stuffing vs brute-force attacks
During brute force attacks, hackers run computer-generated combinations of usernames and passwords until they hit the jackpot and successfully log in to an account. So, it’s essentially guesswork powered by software to speed up the process.
Credential stuffing vs password spraying
Credential stuffing takes usernames and passwords that are known to be associated with an online account. So, it’s a step ahead of password spraying whereby an attacker combines a known username with a commonly used or generic password to try to gain access to an account. There’s more guesswork and luck involved in password spraying.
Credential stuffing vs. account takeovers
An account takeover is often the final goal after successful credential stuffing has taken place. Once an attacker successfully gains entry to an account using the correct credentials, they can then change the account’s security settings, so the authorised user is locked out.
Credential stuffing vs. directory harvests
A directory harvest attack isn’t about stealing credentials; instead, it uses different variations of a company’s email address format to try and guess real email addresses. Software can help speed up this process. This type of attack is often used to send spam advertising via email.
Credential stuffing vs. DDoS attacks
You might not think these are natural bedfellows. A distributed denial of service (DDoS) attack is a malicious attempt to disrupt the normal functioning of a network, service, or website by overwhelming the infrastructure with a flood of internet traffic. Resources are exhausted, causing digital chaos like locking legitimate users out. Sometimes cybercriminals use the cover of a DDoS attack to disguise their credential stuffing attack. When IT security is preoccupied with the flood of traffic, it may miss the (seemingly) random attempts being made to access user accounts. DDoS attacks also share some similarities with credential stuffing: Both rely on botnets to automatically bombard websites. In fact, the infamous Mirai botnet was first used for DDoS attacks, but then repurposed for credential stuffing as it proved to be more profitable!
How to identify credential stuffing attempts
Detecting credential stuffing attacks can be a challenge because they can look like normal user activity (albeit annoying users with the habit of locking themselves out). Watch out for these red flags:
- Sudden bursts of failed login attempts in a short space of time, especially if they involve multiple user accounts.
- Unusual login patterns, such as multiple login attempts from different IP addresses.
- Suspicious IP addresses, as these give a clue as to where the hacks may be originating from. Do many of the London-based employees suddenly appear to be in Uzbekistan, for example?
- An increase in site traffic that causes downtime may indicate a credential stuffing attack.
The hacker endgame, of course, is to avoid suspicion and gain access to user accounts. It’s a balancing act for IT departments: They must provide fast account access with minimal disruption to authorised users while relentlessly monitoring for suspicious behaviour at both the user and application level.
Action required! You can help prevent credential stuffing
Just as cybercriminals use evolving technology to speed up and enhance their attacks, users and IT departments have a range of cunning tools at their disposal too! We just need to use them. Here is a top pick of essential must-haves to help thwart credential stuffing:
Multi-factor authentication (MFA): This is considered highly effective at helping to prevent credential stuffing. Users need another form of authentication (like a one-time passcode sent via a text message or biometric authentication such as a fingerprint) in addition to a username-password to log in. Cybercriminals won’t normally have access to this second form of ID.
Passwordless authentication: You can’t steal what doesn’t exist, so this can stop credential stuffing in its tracks. Users forgo the password entirely in favour of just another form of authentication that only they have, like a fingerprint or face recognition login.
Continuous authentication or device fingerprinting: This doesn’t rely on a single login but verifies a user’s identity in real-time while they use an application, analysing, for example, their behavioural patterns and the typical “fingerprint” of their sessions (operating system, time zone, language, etc.).
Strong passwords and password safety checks: Some applications will run a password that a user submits against a database of known compromised passwords before accepting the password. As a user, always choose unique, highly complex (a daunting combination of upper/lower-case letters, numbers, and symbols) passwords for every account. Regularly check the Have I been pwned (HIBP) website. Launched in 2013, it allows internet users to check whether their email address and any associated personal data have been compromised in security breaches.
In addition to “just” helping to generate and store your passwords, Avira Password Manager Pro can alert you if your email has been compromised and shared during a data breach. It also warns you of weak or reused passwords.
Never using email addresses as user IDs: Credential stuffing loves reused usernames or account IDs. User ID recycling will usually always happen if the ID is an email address as users have only a handful (or one!) to choose from.
These tools are useful in helping IT professionals unmask the bots powering the credential stuffing attack:
Bot identification technology: Good bot management helps stop these malicious armies from making login attempts without causing friction with legitimate logins. Machine learning algorithms can help identify patterns that differentiate bots from humans and detect spikes in traffic from unknown locations. IT teams often deploy specialised bot detector software.
CAPTCHA: This requires users to perform an action to prove they are human, like identifying the bicycles in the image. It can reduce the effectiveness of credential stuffing but beware: Hackers can bypass CAPTCHA by using headless browsers. (These have no user interface so are oddly faceless, actually).
IP Blacklisting: Attackers typically have a limited pool of IP addresses at their disposal, so blocking or sandboxing IPs can be a useful defence against attempts to log into multiple accounts. IT teams can monitor the last IPs that were used to log in to a specific account and compare them to the suspicious IP.
Mere humans need powerful digital protection online
Ultimately, for all the technology at our disposal to challenge hackers’ attacks, credential stuffing is a symptom of a problem that affects us all: We’re only human and are prone to making poor choices online, like opting for a simple, memorable password (such as the name of our first pet). Help protect yourself from malware, cybercriminals, and even your own online mistakes by choosing multiple layers of trusted online security and privacy. Avira Free Security for Windows comes with a diverse spectrum of features, including an antivirus, password manager, software updater, and VPN. It even helps clean out digital junk for a faster machine. There are variations available for Mac, Android, and iOS too.