Credential stuffing: When DDoS isn’t DDoS
Ten years ago, credential stuffing attacks posed a comparatively minor threat, but with an escalating number of data breaches, the threat posed has now increased. What are the solutions to this very human problem?
Credential stuffing attacks are driven by a tendency for people to use matching passwords between multiple online accounts. Despite the risk posed by this habit, it remains a common occurrence. In a survey of 3,000 people, Google found that just over a third of respondents used a different password for all their accounts, while just over half used the same password across multiple accounts and 13% used the same password for all their online accounts.
Credential stuffing shares many similarities with distributed denial of service (DDoS) attacks. The Mirai botnet was first used for DDoS attacks, but was later repurposed for credential stuffing (and other variants), as it proved more profitable. Both DDoS and credential stuffing rely on botnets to automate the bombardment of websites.
“Instead of randomly generating multiple password guesses against a service (as in a brute force attack), credential stuffing exploits people’s tendency to re-use username and password combinations,” says a spokesperson for the National Cyber Security Centre.
“Along with password spraying, credential stuffing is one of the most persistent types of cyber attacks – ever-present malicious internet traffic that’s difficult to see. Both cause significant disruption to victim organisations, even when they haven’t caused significant breaches.”
As an example, attackers recently gained access to Uber’s GitHub repository using employees’ login credentials that had been compromised in previous data breaches. The hackers subsequently located credentials for the company’s Amazon Web Services (AWS) datastore and were able to access the records of 32 million users and 3.7 million drivers.
Credential stuffing attacks have become an increasingly potent risk for organisations. As more and more data breaches occur, releasing more login details into the wild, more data is available for hackers to work with. “Every time there’s a substantial data breach event, we absolutely see a rise in attempted credential stuffing,” says Sam Crowther, founder of Kasada.
Credential stuffing in disguise
Due to their similarities, it is entirely possible that a DDoS attack could be used to disguise credential stuffing. Rather than repeating the same action and thereby overwhelming the server in the case of DDoS, credential stuffing attempts a login combination – email address and password, for example – before moving on to the next. As credential stuffing involves different, and frequently failed, login attempts, it can be easy to miss.
To detect credential stuffing attacks, organisations need to be cognisant of sudden bursts of high numbers of failed login attempts. Configuring intruder detection system (IDS) modules to not only detect, but report such instances will allow organisations to become aware of such attacks and to take appropriate action.
It is worth noting that hackers are not only attempting to log into online systems, but also the application programming interfaces (APIs) that exist behind a website. While APIs are not the ultimate goal of such attacks, they are less protected than typical login systems, and allow hackers to access user permissions and associated functions.
“In the last couple of years, attacks have been directed towards API interfaces and development interfaces, which don’t necessarily have the same authentication server systems in place,” says Colin Tankard, managing director of Digital Pathways. “They’re certainly not as well protected, like a financial site would be, on logons.”
Despite credential stuffing attacks stemming from a human problem, there are still educational and technological solutions that organisations can implement to mitigate the risk of credential stuffing.
Increasing the number of steps in the verification process, such as through two-factor authentication (2FA) or multifactor authentication (MFA), reduces the danger posed by credential stuffing. Such additional verification measures can be through biometrics or using one of the many available 2FA and MFA authenticators.
The reason that 2FA and MFA are so successful against credential stuffing attacks is that they provide an additional level of verification to gain access. As credential stuffing attacks are based on previously obtained login information, the additional information required for 2FA will never be present.
However, 2FA and MFA are not flawless, as there are some concerns about the effectiveness of such technologies. Furthermore, as there are multiple types of 2FA systems, users might feel bombarded by authentication requests and struggle to recall which 2FA app is used in each instance. “The industry now has thousands of different variations of multifactor and you end up just getting swamped when you log on to the site,” observes Tankard.
Enforcing users to regularly change their passwords can be beneficial, especially if passwords cannot be repeated. However, this does not prevent users changing their passwords to those used on other sites. Similarly, users might become frustrated with having to change their passwords frequently.
While credential stuffing attacks can be blocked from accessing a website, this does not prevent them from causing secondary damage by taking the website or login server down, due to the DDoS effect. In such cases, network traffic filters can help mitigate such risks.
Nonetheless, credential stuffing attacks are markedly different to DDoS attacks. In credential stuffing, a user and password combination are only attempted once before moving on, ergo it will show as a single failure to login in that instance, with no repeated attempts.
Since credential stuffing is an automated process using botnets, login systems for websites can add a layer of security by detecting the platform from which each login requests originates. By confirming that the login request is from a web browser, this indicates that the login request is more likely to be legitimate, rather than part of a botnet.
“Instead of looking at the IP address, they make sure that whatever is connected is, in fact, a legitimate browser,” says Crowther. “Before you can even access one of our websites, it will profile your browser from the inside to make sure there’s no automation going on.”
Although this particular technique obtains data regarding the user, it avoids any data protection concerns as it does not harvest any of the device or regionalisation data.
Forewarned is forearmed
Since the number of credential stuffing attacks increases following each new data breach, being forewarned is forearmed. Therefore, those IT departments that keep abreast of current events within the realm of cyber security will be better placed to anticipate potential credential stuffing attacks and to prepare accordingly, such as setting time aside for responding to attacks or ensuring that sufficient network resources will be available.
“Be aware of an unusual increase in users saying, ‘I can’t get into the system’ or ‘My password seems to be different’, because so many companies don’t link all of these bits together and see something’s going on,” advises Tankard.
Ultimately, for all the technological measures that may mitigate the problem, credential stuffing is a symptom of a very human problem. Investing in educating employees in basic password security can pay dividends in the future, as it will further raise awareness of the dangers that poor password habits can bring.
“Individuals need to be more cautious with passwords,” says Tankard. “If they see an alert for a website they think they’ve been on, that it has been compromised, they should change their password.”
Not only should employees use unique passwords for each of their user credentials, but they should also regularly check the Have I been pwned (HIBP) website. Launched in 2013, HIBP allows internet users to check whether their email address and associated personal data have been compromised by security breaches. The service collects and analyses hundreds of database dumps, allowing users to search for their own information by entering their username or email address. Users are also able to register, for free, to be notified if their email address appears in future dumps.
In addition, employees could be encouraged to use password management systems, such as LastPass. Password management systems are particularly effective, as they generate strong and unique passwords that can be robustly protected. However, if a weak password is used to protect the database, there is a risk that all a user’s passwords could be exposed.
With the growing number of data breaches, the outlook for credential stuffing attacks is that their number and frequency is likely to increase. “Credential stuffing will continue to get worse as an arms race,” says Crowther. “Barnes and Noble announced that they had a breach, and that’s going to now add to the ‘well’.”
Credential stuffing stems from poor password habits and is ultimately a symptom of a human problem. However, there are several technological and educational measures that organisations can undertake to protect themselves against such attacks.
Investing in measures such as 2FA or MFA increases the number of verification processes, while network filtering can prevent an organisation’s login servers from being overwhelmed. Advocating password management systems and educating employees regarding the dangers posed by using the same password across multiple platforms also allows organisations to take further proactive steps in protecting themselves against what is becoming an increasingly common vector for cyber attacks.