2017 Credential Spill Report

social_media_10largest_spillsOver the past 12 months, we have seen dozens of the world’s largest online services report that they had been breached by attackers who were able to gain access to their customers’ login credential data. By the end of 2016, over three billion credentials in total were reported stolen, at an average pace of one new credential spill reported every week.

These numbers are a record and include the two largest reported credential spills of all time, both by Yahoo. Near the end of the year, the National Institute of Standards and Technology published the Draft NIST Special Publication 800-63B Digital Identity Guidelines, recommending that online account systems check their users’ passwords against known spilled credential lists.

As the size and frequency of credential spills appears to be increasing, today we are publishing the 2017 Credential Spill Report. This report includes key findings from the credential spills reported in the past year and data from the Shape network to provide insight into the scale of credential theft and how stolen credentials are used.

In particular, stolen credentials are now used every day in credential stuffing attacks on all major online services. In these attacks, cybercriminals test for the reuse of passwords across websites and mobile applications. In the past, announcements of credential spills would focus on the security of accounts at the organization which reported the data breach, but now people are realizing that the widespread reuse of passwords by users across websites means that a breach on one account system endangers all other account systems.

At Shape, we have a unique view into this activity because our technology protects the world’s most attacked web and mobile applications—those run by the largest corporations in financial services, retail, travel, and other industries, as well as the largest government agencies—on a 24/7 basis.

Key statistics from spills reported in the past year include:

Over 3 billion credentials were reported stolen in 2016.

  • 51 companies reported suffering a breach where user credentials were stolen.
  • Yahoo in 2016 reported the two largest credential spills of all time. The next largest credential spills in 2016 were reported by Friend Finder, MySpace, Badoo and LinkedIn.
  • Tech companies had the largest total number of spilled credentials (1.75 billion).
  • The gaming industry had the largest number of companies with spills (11).

From Shape’s network data, we also observed:

  • 90% of login requests on many of the world’s largest web and mobile applications is attributable to traffic from credential stuffing attacks.
  • There is up to a 2% success rate for account takeover from credential stuffing attacks, meaning that cybercriminals are taking over millions of accounts across the Internet on a daily basis as a result of credential spills.
  • Credential stuffing attacks are now the single largest source of account takeover on most major websites and mobile applications.
  • One Fortune 100 retailer experienced a credential stuffing attack with over 10,000 login attempts in one day coming from the cybercriminal attack tool Sentry MBA, which is the most popular credential stuffing software and appears to be used to attack nearly every company in every industry.
  • Analyzing 15.5M account login attempts for one customer during a four month period, over 500K accounts were confirmed to be on publicly spilled credential lists.

Dealing with credential spills and the credential stuffing attacks that they fuel is a complex topic. Here are some basic recommended actions for consumers and enterprises:

The most important takeaway for consumers is that you should never reuse passwords across online accounts. Selecting a strong password is not enough; if you have reused that same password on multiple sites, and one of those sites is breached, your accounts on all of the other sites where you have used the same password are now at risk.

For companies, a lot of public attention is focused on any organization that experiences a data breach and loses control of their users’ credentials. However, the real issue other companies should focus on is protecting themselves against those passwords being used to attack them and their own users. Credential stuffing attacks easily bypass simple security controls like CAPTCHA and Web Application Firewalls, so relying on those mechanisms does not offer any protection. Controls like two-factor authentication can help, but of course come with other drawbacks.

In any case, getting educated is the best course of action. The Open Web Application Security Project (OWASP) provides a starting point for learning about credential stuffing and other automated attacks in their list of OWASP Automated Threats To Web Applications.

To learn more, download the full 2017 Credential Spill Report.

Dan Woods,

Director, Shape Intelligence Center

The Half-Day Attack: From Compromise to Cash with Sentry MBA

Sentry MBA-2

Sentry MBA, an automated attack tool used to take over accounts on major websites, makes cybercrime accessible to legions of attackers across the globe. Sentry MBA illustrates the pivotal role automation plays in online attacks and shows how cybercrime is increasingly compartmentalized and commoditized.

Allow me to illustrate with a short story.

Let’s say you’re a would-be cybercriminal looking to make some quick cash. There are many ways to make money on the Internet – especially if you think shoplifting’s a harmless recreational activity – so you hatch a plan to break into your favorite online electronics retailer’s website, order a few televisions, and have them shipped somewhere you can grab them.

But you have a problem: finding website vulnerabilities requires technical skills you just don’t possess. And even if you were a sophisticated cybercriminal, who really wants to spend their valuable time crafting SQL injection or cross-site scripting attacks? It’s far easier to just hijack a few user accounts. The authors of Verizon’s data breach report said as much: “With so many credential lists available for sale or already in the wild, why should a criminal actually earn his/her keep through SQL injection when a simple login will suffice?”

After doing some research, you may stumble across a tool like Sentry MBA. You might not have the technical expertise to research and hand-craft a targeted online exploit, but with Sentry MBA you can launch sophisticated and damaging attacks that are capable of penetrating the defenses employed by major corporations.

It’s a numbers game that works because so many people use the same passwords for multiple online accounts. Any list of stolen credentials will almost certainly include some that allow you to access accounts on the site you’ve targeted. Once you’re in, the retailer is your oyster. You can order any fancy gadget you please with the victim’s stored credit card number, change the ship-to address for your delivery convenience, and resell the goods for cash. Once you’ve maxed out one credit card, just rinse and repeat for all the accounts you cracked.

Sentry MBA automates the process of testing millions, or tens of millions, of username/password combinations to see which ones work. Without automation that task is impossibly time-consuming.

Shape Security protects websites and mobile applications by detecting and preventing automated attacks, including credential stuffing attempts. Shape analyzed a sample of our customer data consisting of six billion login and search page submissions from December of 2015 through January of 2016 and found that Sentry MBA attacks were commonplace. Here are some anonymized examples of the attacks we found:

  • Over one week in December, cybercriminals made over 5 million login attempts at a Fortune 100 B2C website using multiple attack groups and hundreds of thousands of proxies located throughout the world
  • Over two days in January, a large retailer saw two major Sentry MBA attacks with over 20,000 total login attempts
  • During one day in January, a large retailer witnessed over 10,000 login attempts used Sentry MBA and over 1000 proxies
  • Two attacks in December highlight how cybercriminals are turning their attention to mobile APIs. The first attack, focused on the target’s traditional website application, made over 30,000 login attempts using proxies located in eastern Europe. The second attack, focused on the target’s mobile API, made over 10,000 login attempts on a daily basis. Both attacks shared hundreds of IP addresses and other characteristics, indicating the same actors may have been responsible.

By reducing the level of technical skill needed to mount a sophisticated cyberattack, Sentry MBA brings damaging attacks within reach of more and more cybercriminals. The open web and darknet are filled with forums offering working Sentry MBA configuration files for specific sites and credential lists to try. These underground markets, combined with automated tools like Sentry MBA, create a new cybersecurity reality where devastating online attacks can be launched by any individual with minimal resources.

The best way to stop Sentry MBA attacks is to detect and deflect them before they take over accounts through your website or mobile application API. Shape Security protects you and your customers from online fraud committed by cybercriminals using automated attack frameworks, whether they are Sentry MBA or other toolkits.

For an in-depth exploration of Sentry MBA, please see our post from our research team: A look at Sentry MBA.

Rising Attack Vector: Credential Stuffing

Credential stuffing is a growing threat to the web community. As more companies are offering their goods and services online, customers practicing bad password hygiene are in danger of having their account stolen whenever a website is breached.

Read more about the rise of credential stuffing below.

Credential stuffing is taking lists of breached credentials from one website and testing them against another. According to the most recent Verizon Data Breach report, it’s one the fastest rising attack vectors.

The list of major companies that have fallen to this attack is impressive: Sony ‘11, Yahoo ‘12, Dropbox ‘12, and JPMC ‘14.

Credential stuffing is a general concept, but the outcome of successfully taking over user accounts results in more specific attack in various industries: stealing hotel reward points, pilfering airline frequent flier miles, and committing gift card fraud, to name just a few.

The Definition of Credential Stuffing

Credential stuffing is the automated testing of breached username/password pairs in order to fraudulently gain access to user accounts. This attack involves checking large numbers of spilled credentials against various websites to uncover credentials that are valid on a target website. Attackers then hijack those accounts and commit various types of fraud.

The Anatomy of Credential Stuffing Attack

  1. The attacker acquires spilled usernames and passwords from a website breach or password dump site.
  2. The attacker uses an account checker to test the stolen credentials against many websites (for instance, social media sites or online marketplaces).
  3. Successful logins (usually 0.1-1% of the total login attempts) allow the attacker to take over the account matching the stolen credentials.
  4. The attacker drains stolen accounts of stored value, credit card numbers, and other personally identifiable information
  5. The attacker may also use account information going forward for other nefarious purposes (for example, to send spam or create further transactions)

How is Credential Stuffing Different from Existing Threats?

We’ve classified credential stuffing as a renewed form of attack because the primary vector for account takeover has changed from the breaching of databases to automated web injection.

According to our analysis, credential stuffing is now the most popular method used by attackers to achieve account takeover. This is particularly dangerous to both consumers and enterprises because of the ripple effects of these breaches.

Credential Stuffing was the Attack Vector Used in the Sony, Yahoo, Dropbox and JPMC Breaches

Below are excerpts taken from publications analyzing these large-scale breaches. There is evidence to support that these breaches were connected by credential stuffing.

  • Sony, 2011 breach: “I wish to highlight that two-thirds of users whose data were in both the Sony data set and the Gawker breach earlier this year used the same password for each system.” Source: Agile Bits
  • Yahoo, 2012 breach: “What do Sony and Yahoo! have in common? Passwords!”. Source: Troy Hunt
  • Dropbox, 2012 breach: “The usernames and passwords referenced in these articles were stolen from unrelated services, not Dropbox. Attackers then used these stolen credentials to try to log into sites across the internet, including Dropbox”. Source: Dropbox
  • JPMC, 2014 breach: “[The breached data] contained some of the combinations of passwords and email addresses used by race participants who had registered on the Corporate Challenge website, an online platform for a series of annual charitable races that JPMorgan sponsors in major cities and that is run by an outside vendor. The races are open to bank employees and employees of other corporations”. Source: NY Times

Anatomy of the 2011 credential stuffing attack on Sony. Credentials from smaller sites are leaked and injected into Sony’s login pages to test for credential reuse. The attacker gained access to any Sony accounts which used the same credentials as were leaked from the smaller sites.

Using botnets, Sony credentials were tested on Sony’s login page. According to Wired, this resulted in 93,000 breached accounts. In other words, the credential stuffing attack that led to the Sony breach was made possible by prior breaches of smaller sites.

This connected chain of events from Sony to Yahoo to Dropbox excludes JPMC. The JPMC breach came from a separate and unrelated source. We know that the JPMC breach was caused by attackers targeting an unrelated third-party athletic race/run site for credentials to use against JPMC.

What Can SysAdmins Do to Prevent Attackers from Hijacking User Accounts by Credential Stuffing?

The answer requires an understanding of the technical mechanism by which credential stuffing works.

Like account checkers, credential stuffing works by using the static form elements of the login page as an implicit API. The attacker references various form element names (email and password) in order to interact with the target webpage. Since most websites accept such traffic as normal (having no means to distinguish between intended and malicious use), the attacker can automate the attack by using scripts and account checkers to easily run through millions of tests per unit time. Using a large-scale distributed botnet and a huge number of IP addresses allows the attacker avoid rate and volume limits which might otherwise prevent such a large number of login attempts. Thus, it is trivial even for unsophisticated attackers to launch attacks of this nature and scale against some of the largest websites in the world.

To defend websites against such activity, which we call “unwanted automation,” Shape Security uses an approach that is familiar to attackers: we dynamically change the underlying code of the site each time a page is viewed to defeat the types of scripts used in credential stuffing attacks. Just as malware authors have long used polymorphic code to evade antivirus products by constantly presenting different signatures, Shape’s solution creates a moving target which frustrates potential attackers attempting to automate easy credential testing on the website using scripts. The effort an attacker must invest to successfully automate login attempts on a given website without changing the front-end use experience.

Of course, savvy readers will point out numerous ways these measures can be circumvented. While, it is beyond the scope of this article (but perhaps the subject of future pieces) to consider such attacks (DOM, GUI, and others), Shape is keenly focused on comprehensively defeating them and has solutions at each of those levels.

Contact us to learn how Shape Security can protect your site.