Credential Stuffing Techniques & Case Studies

It has been seen from the last 2 years it has been said that online accounts and their data are getting conciliation, but the firms are insisting that their systems have not been compromised. This issue has gone popular across the IT world and is creating madness for the online data storing industries. These industries are saying that it is not their fault where they are technically right. The real culprit is the hacking technique known as “credential stuffing.” According to this strategy, attackers will grab an immense database of usernames & passwords (repeatedly from a business mega-breach) where they try to “stuff” or feed those personal data into the login page of other online services. As most of the people often end up reusing the same username & password across numerous sites; this is where attackers take advantage of one credential piece of info & unlock various accounts. Companies and startups like Nest, OkCupid, Dunkin' Donuts, and the popular video platform site DailyMotion have become the victim of credential stuffing attack.

“Getting all of the massive credential dumps which are taking place over the past few years, credential stuffing has to turn out to be a serious threat for the online services,” says Crane Hassold, who is a threat intelligence manager at Agari firm. Since most of the people do not change their password regularly, this makes the path of credential stuffing technique more smooth and vivid.

Craze for Credential

Hackers remain in the craze for sensitive information and credentials. Credential stuffing has grown up as a problem these years now, It started to a massive sense when seminal breaches tool place in LinkedIn & Dropbox in the year 2012 & Myspace in the year 2013 to great effect!— credential stuffing technique is in trend in the criminal world which needs to be stopped by online user awareness. One such type of attack is done, hackers post a more enormous, aggregated credential collection which comprises of various data breaches. The wildest of such attack was the “breach of breaches” that totaled 2.2 billion unique username & password combinations leaked and available online for download and that too in plain text.

        Other types of hackers do not disclose or put these usernames and passwords online for download, rather they sell it on the dark web. These types of accounts are associated with digital payment systems, online banking systems, accounts of PayPal and Paytm. These account credentials are compromised and sell at huge large and their demands over the deep web criminal market are at a remarkable rate.

The concept of “Collection credentials” is typically a few years old, which means a lot of were by now in broad flow. Many hackers nowadays make credential collection automated by making use of botnets and fed them with the required credentials to take control of the victim's services. These bots are programmed in a very sophisticated manner and are planted skilfully in different zombie systems making these systems like the remote-control toys.

Another peculiar attack has provided exactly the form of fresh & high-quality credentials breach. A compilation comprises a total of approximately 841 million records that were released in 3 sets, from 32 different web services, including MyFitnessPal, Whitepages, MyHeritage, and some other. The initial part of the dump was having its price tag of about $20,000 in Bitcoin, the next one of about $14,500, & the 3rd one was approximately $9,350. This gave rise to credential stuffing as most of the sensitive data of different users were taken and implemented on other sites worked and these passwords were not having proper encryption even.

You might have already guessed that credential stuffing depends on the automation of feeding ID & Password to the login system. What happens actually in the automation process is hackers not at all type these hundreds of millions of credential data across hundreds of sites by hand. They simply program an application (as I addressed in the previous paragraph) that will take all the data from the application's database where hacked usernames and passwords are preserved or the other way around is the application is being linked to the compromised server with DB of passwords. Then the application is commanded to perform credential stuffing attacks by linking them or feeding them massive numbers of login site links for trying to log in from different IP addresses because web services have fundamental rate-limiting fortification in place or blocking floods of action which could be automated or destabilizing.

Cybercriminals and hackers get these credential stuffing tools on malicious platforms and free hacking tools sites. These tools are smart enough to jump the requests all around the web & craft them which will look like they are imminent from various IP addresses. With the use of such tools and techniques, hackers can also influence the properties of the login requests for making it look legitimate, as if they are arriving from a sundry array of genuine browsers of different systems; since the majority, websites are programmed to detect or target it suspicious if large amounts of traffic are getting generated from the same browser type. Another very catchy feature of Credential stuffing tools is, they can even offer automation support integration to bypass CAPTCHAS.

Since they have automated tools and techniques to make large breaches possible, attackers productively need hundreds of thousands or even millions of sensitive credential login data pairs for utilizing the documentation stuffing attacks successfully. And these massive planning cybercriminals got into some accounts or take access of those accounts, attackers then find a manual way for monetizing what essential data or fund they can find in there—either by stealing more personal data (some personal photo-clicks, images, conversations, credit card details, phone numbers, or data regarding money and bank details, etc.) — to blackmail or take leverage of those.

Secure Yourself

The finest means for protecting against such credential stuffing attacks is to, make use of distinctive and meaningless passwords for each of the digital accounts you are using—for which you can make use of password manager. Also you can turn on 2 step verification which is also known as 2-factor authentication for your email and social networking accounts. The security of your digital assets and accounts is not only on you; companies, too, are more and more concerned for detecting & blocking credential stuffing attacks. Some large companies have initiated to take proactive actions for checking whether users' account credentials have been taken away by cybercriminals by breaching & triggering password resets as they find out a match. You cannot stop automatic credential stuffing tools but you can provide different layers of security such as 2-factor auth, anti-malware software to save yourself from releasing your OTPs and other pass & access credentials.

Another way used by companies is they deploy to track logins which eventually result in deception & then blacklist those linked IP addresses. This will eventually erode all proxy-based attackers who mask their accumulation login attempts. Technical geofences are set because attackers usually reside in some other geo-location and hence blocking proxy traffic coming from elsewhere can be filtered potentially.

As per some researchers and security analysts most credential stuffing implements information acquiring from some major data breaches. But as per the analysis of the last few years there has been a major modification in the credential phishing landscape & are targeting nonspecific account details which are 'stuffed' in various websites. Due to this advancement of attack many companies are not prepared enough to know the extent of the credential stuffing risk. While credential deposits from leaks & breaches are providing primary fuel for such mass digital attacks, cybercriminals can also expand their approach utilizing credential pairs collected from phishing assails.

In a current credential stuffing hit aligned with the productivity & project management. The company statements lately mentioned it had come across 30,000 malevolent login attempts from various IP addresses within an hour. The company instantly started blocking those IP addresses by implementing the CAPTCHA concept so that mechanical access to the employee accounts can be restricted. Though it becomes frustrating for companies and firms to accept the fact that their users’ or employees’ accounts or personal information got compromised, there is no concrete methodology that can be used to full proof company accounts, servers or user data from such attacks.

So, it can be concluded that the credential stuffing attack technique is quite an exasperatingly as well as a difficult threat to quash. So, it is a request to all the readers and audiences to diversify their passwords and make it as strong and meaningless as possible. Also, users need to implement 2-factor authentications wherever applicable or possible. Also, users can complain about stridently of social media regarding those web services & platforms that are not offering such security features.