Credential stuffing attacks are causing havoc for businesses worldwide. Potentially causing both reputational damage and a huge loss of money, such attacks involve cybercrooks exploiting stolen credentials and are one of the fastest-growing digital threats faced by businesses today.
Understanding how credential stuffing works is the first step in guarding against this cyber threat. Below, we’re going to explore this and discover the best ways businesses can take back power and defend themselves.
What Is Credential Stuffing?
In a credential stuffing attack, cybercriminals use stolen usernames and passwords (typically harvested from previous data breaches) to access accounts on other platforms. Crooks understands that many people use the same credentials across multiple platforms and websites, and take advantage of this to gain unauthorized access. Our very human habit of reusing passwords is proving a goldmine to committed credential stuffers.
Attackers use bots to crack login forms and pages and, once they’re in, run riot. This could mean cybercriminals getting hold of an individual’s financial and banking information, sensitive business information, or messages exchanged between parties.
Credential stuffing is so dangerous, in part, because a low-security, easily crackable account could be targeted, and the information gleaned used to access a much more valuable platform, such as an internal business system or retail wallet.
Huge, well-known companies have been targeted by credential stuffing attacks. These include Uber, which suffered a serious data breach via this method in 2016, and UK cosmetic retail giant Superdrug, who were hit in 2018 with a credential stuffing attack that affected hundreds of customers.
How Do Credential Stuffing Attacks Work?
Credential stuffing attacks typically rely on one of two tactics. Either discovering an individual’s log-in details by hacking another platform, or flooding a log-in portal with millions of attempts to gain access. While, in terms of the latter, the vast majority of attempts will be unsuccessful, just a handful of hits getting through can be catastrophic to those whose accounts are wrongfully accessed.
Such an attack usually unfolds like this:
1) Access gained to leaked credentials, obtaining usernames and passwords from previous breaches, either committed by themselves or other cybercriminals.
2) Automation tools are used to design relevant bot software to attack log-in pages or APIs.
3) Spoofing tactics are deployed to avoid detection. Bots simulate real user behavior to trick the target platform.
4) Targeted logins are made to flood login forms in an attempt to find a username and password match.
5) Targeted account takeover now occurs with attackers gaining access to the account.
6) Secondary exploitation is a further risk. For example, compromised emails or business tools may provide the access key to sensitive data or open the door to more damaging attacks.
Sometimes, credentials are stolen to sell on, usually on the dark web. The price of credentials varies, with some considered low value, even sometimes available for free. It sounds unbelievable, but some cybercriminals sell credentials with a warranty, which serves as a guarantee they will work. If they don’t, the crook sends out a replacement to the buyer.
How Credential Stuffing Can be Catastrophic for Businesses
For the individuals affected by a credential stuffing attack, the damage can be significant. But for businesses, the impact can be truly catastrophic. The chaos may include:
- Reputational damage
- Operational disruption
- Risk of falling foul of regulation
- Negative publicity
- The expense of putting things right
The picture’s no doubt becoming clear – a business cannot afford to ignore the risk of credential stuffing. There’s a double threat. An organization could be targeted for the initial “harvesting” of data, or could be attacked using the nefariously collected information to access other information. Such attacks can also form part of a wider offensive, meaning your business could end up fighting a war on multiple fronts.
If you need any more convincing of the severity of the threat, note that it’s estimated that credential stuffing attacks cost businesses in the US over $5 billion a year, and this rate is climbing steeply.
How to Defend Against Credential Stuffing
Taking preemptive action is the best way for a business to stay safe from the threat of credential stuffing. There are easy, common-sense steps that everyone – individuals and organizations alike – can take to mitigate the danger. These include using strong passwords and never reusing log-in details across multiple platforms.
For businesses, deploying MFA (multi-factor authentication) and CAPTCHA processes is vital, as these are the first line of defense against a variety of cybercriminals. Paying attention to website traffic and user behaviour provides additional protection. This can be an effective way to spot suspicious activity, such as multiple visits from a single IP address over a certain time frame. Deploying rate limiting and blocking suspicious IP addresses can fend off any potentially harmful activity.
The most effective way of guarding against credential stuffing, however, is via specialist software. These solutions typically monitor all incoming traffic to detect and disable threats, and can help ensure an organization remains compliant, too. The best types of such software adapt to emerging threats in real-time, to provide robust, intelligent protection.
Popular Tools to Prevent Credential Stuffing
DataDome
Best for: Organizations seeking intuitive AI tools to protect against cybercrime.
Designed to offer a holistic solution for an organization’s cybersecurity needs, DataDome provides real-time protection and in-depth reports and is easily scalable. This tool continuously learns, making it a formidable force in both adapting to and detecting threats.
Imperva
Best for: Comprehensive malicious bot protection for developers
Imperva’s bot management solution provides multi-layered protection to both apps and websites. The platform’s CDN can enhance web performance and has been designed for developers.
SentinelOne
Best for: Businesses that want a managed solution
For businesses seeking a managed cybersecurity solution, SentinelOne could be the answer. The company’s 24/7 managed threat services highlight the visibility of threats and deliver excellent endpoint coverage.
Norton 360
Best for: Robust virus and malware protection.
Norton 360 is one of the longest-established names in the cybersecurity sphere, and offers a range of solutions and suites to suit all types and sizes of organizations. The recently launched Scam Genie provides additional AI-powered protection.
Fortinet
Best for: Businesses wishing to secure their AI systems and models.
Efficiency and speed are the watchwords of Fortinet, which operates via a single-vendor SASE. Fortinet boasts a global cloud network to deliver an automated, intelligent, and converged security solution.
Hornet Security
Best for: Protecting systems using Microsoft 365.
For Hornet Security, educating and empowering users about the ever-changing roster of cybersecurity threats is key. This platform focuses on providing protection for the Microsoft 365 environment and raising awareness of online dangers.
PingIdentity
Best for: Management access and associated security systems
Ping Identity has a wide range of use cases, and offers a comprehensive cybersecurity toolkit, too. A variety of detection techniques are deployed 24/7, which can be integrated across multiple services.
Make Protecting Your Business from Credential Stuffing a Priority
All over the world, cybercriminals are using credential stuffing to get hold of individuals’ and organizations’ login details to access their accounts, platforms, and systems. The damage this can cause could be virtually limitless, with businesses suffering catastrophic reputational loss or having their most sensitive data hacked. To make matters worse, such attacks can form part of a wider account takeover or phishing scam, inflicting yet more damage.
While these attacks may cost dearly (and not just in terms of money), there are plenty of things organizations can do to secure their digital assets and keep cybercrooks at bay. As well as taking some easy steps, such as deploying multi-factor authentication and CAPTCHA processes, it’s vital to use security software specifically designed to identify and respond to online attacks. Combining these approaches fortifies your business’s digital defenses, making them virtually impossible for a cybercriminal to scale.
