Our last post covered how credential stuffing poses a significant danger to consumer and enterprise websites.
But how much does it cost to actually execute this powerful attack?
Learn about how an adversary can hijack one million accounts for less than a fast food meal.
Credential stuffing is a dangerous threat. Using simple mathematics and publicly available data we’ve been able to show how attackers are using botnets to try to hijack 1 million online accounts for just $3. Assuming a 1% success rate, attackers are still netting 10,000 accounts for $3.
The economics of botnet technology makes credential stuffing a growing threat for consumers and enterprises.
To highlight the economics of credential stuffing, let’s compare labor costs between a single human, a bot, and a botnet to test 1 million credentials. According to WSJ, a botnet costs $2 to rent.
Using a botnet, an attacker can test 1 million accounts in a matter of hours (100 minutes to be exact). Credential stuffing is a web threat enabled by the rise of cheap botnets. In years past, testing 10 million passwords against a given website was both expensive to do, and easy to detect. Today, cheap botnets consisting of end-user machines have turbocharged credential stuffing. Now, the attack is cheap to perform and very hard to detect. Attackers regularly cycle through 10,000 to 100,000 IP addresses a day, making detection challenging.
Prior to the development of these technologies, the cost and time commitment required to launch this kind of brute force attack was prohibitive to attackers. The advent of botnets allowed credential stuffing attacks to be done in as little as a few days, while avoiding the IP reputation and throttling controls that prevent repeated login attempts. Cheap, easy-to-use botnets are plentiful on the black market, and potential attackers are more comfortable with using technology than ever before.
The attackers who control these botnets are still held to the same economics as white-market products and services. Criminal entrepreneurs need to weigh the costs of infrastructure, labor, and profits to justify testing millions of credentials. And as they race against the clock for consumers to change their passwords, criminals become desperate for tools that make account takeover easier, faster, and more profitable for their enterprise.
In the last 5 years, bot technology has innovated the black market economy. As a result, we have seen a dramatic increase in automated, scripted attacks amongst our customers. If you would like to read more about the lifecycle of an automated attack, you can read our previous blog here.
Contact us to learn how Shape Security can protect your site.
[update] In this updated version of this blog post we refer to a single node bot. In a previous version of the same blog post we referred to a click-farm.