Headline writers love data breaches. As explained last month, they pit hackers versus security professionals in a good versus evil stand-off that makes for a great story. But there’s way more to the threat landscape than breaches. Increasingly we’re seeing a whole new category of follow-on attacks using the breached log-in records currently flooding the dark web in their millions.
Credential stuffing leads the pack, and IT leaders should be concerned. It’s estimated to cost US firms alone over $5bn annually and has already affected some big-name brands this year including Nest, Dunkin’ Donuts, Dailymotion and OkCupid.Credential stuffing attacks rely on password-only authentication and the fact that people share logins across multiple sites and accounts. Click To Tweet
Brutal account takeovers
Credential stuffing is a kind of brute-force attack which uses automated tools to try large volumes of stolen log-in data simultaneously across multiple sites until one works. It relies upon the fact that many organisations still allow customers and employees to use password-only log-ins, and the fact that these users have so many to manage that they resort to sharing credentials across multiple sites and accounts. One company estimates that the average employee today has to manage over 190 passwords.
The end goal is to crack open accounts, whether they are used by external customers or corporate employees. In a B2C scenario, the hijacked accounts can be a lucrative source of personally identifiable information (PII) to sell on the dark web. Depending on the company, they could also be sold on the cybercrime underground to provide buyers with free ride-sharing trips, streaming content and more. Some accounts feature Air Miles, hotel gift cards and other loyalty balances which could also be sold on. And it goes without saying that access to a bank or financial services account could be even more lucrative.
According to one report, retail is the most affected sector globally with 10 billion credential stuffing attempts recorded between May and December 2018. However, other industries are also affected, including streaming media (8.1bn attempts), media and entertainment (3.5bn), manufacturing (1.3bn) and financial services (1.1bn). It might be tempting for those organisations affected to argue that it’s not their fault — that the reason for these attacks is because of customers failing to properly secure their accounts with unique passwords. But try telling that to a customer. The bottom line is it’s your corporate reputation on the line.Employees sometimes register external accounts such as LinkedIn with corporate email and password. A breach of a third-party site like this can result in significant risk to the company.Click To Tweet
Employees at risk
However, that’s not the end of the story. Credential stuffing attacks could also represent a significant risk to corporate security. Why? Because employees will sometimes register external accounts such as LinkedIn with their corporate email and log-in. This is all very well until those credentials are breached by the third-party site in question. This gives hackers a golden opportunity to take over corporate accounts.
From there, they can send highly convincing spear-phishing emails to privileged account holders, potentially with the end goal of hacking into corporate data stores. There’s even an opportunity to launch Business Email Compromise (BEC) attacks on the back of such activity. Because such attacks come from a legitimate, trusted source, they can be very hard to detect and stop.
Billions of problems
The bottom line is this problem isn’t going away anytime soon. One company detected nearly 28 billion credential stuffing attempts between May and December 2018 alone. If anything, automated tools are getting even more sophisticated, allowing attackers not only to crack open existing accounts but use breached PII to open new ones in the victim’s name.
In the meantime, breached data continues to flood the underground forums frequented by the black hats. So-called “combo lists” which bundle together credentials leaked via various previous breaches, offer a readymade source for these campaigns. One recently revealed high profile collection purported to contain over eight billion log-ins. The success rate for credential stuffing campaigns is often no greater than 1%, but with this many passwords to try, it doesn’t need to be much higher.
What can you do?
Credential stuffing isn’t the only way to compromise users’ accounts, of course. Organisations must also beware of phishing, password spraying, and other techniques. But it remains a serious threat to the bottom line and corporate reputation that requires urgent attention. The problem is knowing what to do. For external customers, organisations are understandably reluctant to mandate multi-factor authentication (MFA) as it may add too much friction to the log-in process. However, contextual MFA may be an option as it will only ask for a second factor if it deems there to be a high risk.
When it comes to corporate accounts, there are more options. Policies should be strictly drawn up to ban the use of corporate emails/log-ins to register with third-party sites. Firms should remove any password-only log-ins and enhance authentication with MFA. Better log-in security could also be combined with AI-powered tools designed to spot suspicious log-in attempts and internal email activity potentially indicating a compromised account.
More generally, organisations need to work towards getting better at detecting when they’ve been breached. The dwell time in EMEA stands at an unacceptable 177 days, with one vendor claiming it takes as long as 15 months for organisations to spot mass credential theft. If we all got better at this bit, log-ins could be reset before the stolen credentials even make it onto dark web trading forums.
New report reveals details on spear-phishing attacks, including the latest tactics used by cybercriminals and the top best practices to defend your business.
Phil Muncaster is a technology writer and editor with over 12 years’ experience working on some of the biggest technology titles around, including Computing, The Register, V3 and MIT Technology Review. He spent over two years in Hong Kong immersed in the Asian tech scene and is now back in London where information security has become a major focus for his work.