Credential stuffing is a growing threat to the web community. As more companies are offering their goods and services online, customers practicing bad password hygiene are in danger of having their account stolen whenever a website is breached.
Read more about the rise of credential stuffing below.
Credential stuffing is taking lists of breached credentials from one website and testing them against another. According to the most recent Verizon Data Breach report, it’s one the fastest rising attack vectors.
The list of major companies that have fallen to this attack is impressive: Sony ‘11, Yahoo ‘12, Dropbox ‘12, and JPMC ‘14.
Credential stuffing is a general concept, but the outcome of successfully taking over user accounts results in more specific attack in various industries: stealing hotel reward points, pilfering airline frequent flier miles, and committing gift card fraud, to name just a few.
The Definition of Credential Stuffing
Credential stuffing is the automated testing of breached username/password pairs in order to fraudulently gain access to user accounts. This attack involves checking large numbers of spilled credentials against various websites to uncover credentials that are valid on a target website. Attackers then hijack those accounts and commit various types of fraud.
The Anatomy of Credential Stuffing Attack
- The attacker acquires spilled usernames and passwords from a website breach or password dump site.
- The attacker uses an account checker to test the stolen credentials against many websites (for instance, social media sites or online marketplaces).
- Successful logins (usually 0.1-1% of the total login attempts) allow the attacker to take over the account matching the stolen credentials.
- The attacker drains stolen accounts of stored value, credit card numbers, and other personally identifiable information
- The attacker may also use account information going forward for other nefarious purposes (for example, to send spam or create further transactions)
How is Credential Stuffing Different from Existing Threats?
We’ve classified credential stuffing as a renewed form of attack because the primary vector for account takeover has changed from the breaching of databases to automated web injection.
According to our analysis, credential stuffing is now the most popular method used by attackers to achieve account takeover. This is particularly dangerous to both consumers and enterprises because of the ripple effects of these breaches.
Credential Stuffing was the Attack Vector Used in the Sony, Yahoo, Dropbox and JPMC Breaches
Below are excerpts taken from publications analyzing these large-scale breaches. There is evidence to support that these breaches were connected by credential stuffing.
- Sony, 2011 breach: “I wish to highlight that two-thirds of users whose data were in both the Sony data set and the Gawker breach earlier this year used the same password for each system.” Source: Agile Bits
- Yahoo, 2012 breach: “What do Sony and Yahoo! have in common? Passwords!”. Source: Troy Hunt
- Dropbox, 2012 breach: “The usernames and passwords referenced in these articles were stolen from unrelated services, not Dropbox. Attackers then used these stolen credentials to try to log into sites across the internet, including Dropbox”. Source: Dropbox
- JPMC, 2014 breach: “[The breached data] contained some of the combinations of passwords and email addresses used by race participants who had registered on the Corporate Challenge website, an online platform for a series of annual charitable races that JPMorgan sponsors in major cities and that is run by an outside vendor. The races are open to bank employees and employees of other corporations”. Source: NY Times
Anatomy of the 2011 credential stuffing attack on Sony. Credentials from smaller sites are leaked and injected into Sony’s login pages to test for credential reuse. The attacker gained access to any Sony accounts which used the same credentials as were leaked from the smaller sites.
Using botnets, Sony credentials were tested on Sony’s login page. According to Wired, this resulted in 93,000 breached accounts. In other words, the credential stuffing attack that led to the Sony breach was made possible by prior breaches of smaller sites.
This connected chain of events from Sony to Yahoo to Dropbox excludes JPMC. The JPMC breach came from a separate and unrelated source. We know that the JPMC breach was caused by attackers targeting an unrelated third-party athletic race/run site for credentials to use against JPMC.
What Can SysAdmins Do to Prevent Attackers from Hijacking User Accounts by Credential Stuffing?
The answer requires an understanding of the technical mechanism by which credential stuffing works.
Like account checkers, credential stuffing works by using the static form elements of the login page as an implicit API. The attacker references various form element names (email and password) in order to interact with the target webpage. Since most websites accept such traffic as normal (having no means to distinguish between intended and malicious use), the attacker can automate the attack by using scripts and account checkers to easily run through millions of tests per unit time. Using a large-scale distributed botnet and a huge number of IP addresses allows the attacker avoid rate and volume limits which might otherwise prevent such a large number of login attempts. Thus, it is trivial even for unsophisticated attackers to launch attacks of this nature and scale against some of the largest websites in the world.
To defend websites against such activity, which we call “unwanted automation,” Shape Security uses an approach that is familiar to attackers: we dynamically change the underlying code of the site each time a page is viewed to defeat the types of scripts used in credential stuffing attacks. Just as malware authors have long used polymorphic code to evade antivirus products by constantly presenting different signatures, Shape’s solution creates a moving target which frustrates potential attackers attempting to automate easy credential testing on the website using scripts. The effort an attacker must invest to successfully automate login attempts on a given website without changing the front-end use experience.
Of course, savvy readers will point out numerous ways these measures can be circumvented. While, it is beyond the scope of this article (but perhaps the subject of future pieces) to consider such attacks (DOM, GUI, and others), Shape is keenly focused on comprehensively defeating them and has solutions at each of those levels.
Contact us to learn how Shape Security can protect your site.