The cyber division of the Federal Bureau of Investigations (FBI) has issued a private industry advisory warning of a spike in credential stuff attacks aimed at financial services firms.
Billions of credentials available on the Dark Web are making it simpler for cybercriminals to launch credential stuffing attacks. These types of attacks typically target application programming interfaces (APIs) that financial services firms rely on to build applications, the FBI report notes. As was the case in the days of old, financial services firms are being targeted because that’s where the money is.
The FBI also notes cybercriminals are also counting on the fact that the same password is being employed across multiple accounts and applications.
Launched by botnets controlled mainly by cybercriminal syndicates, these attacks essentially rely on brute force. The FBI report shares an example of how last July a mid-sized financial institution in the U.S. reported its Internet banking platform had experienced a “constant barrage” of login attempts using various credential pairs. The report also notes between January and August 2020 unidentified actors also used aggregation software to link actor-controlled accounts to client accounts belonging to the same institution, resulting in more than $3.5 million in fraudulent check withdrawals and electronic transfers.
Credential stuffing is fortunately a type of attack that typically tends to have low success rates. However, as botnets continue to grow the cost of launching large scale attacks in declining so cybersecurity teams should expect more waves of attacks using this threat vector.
Recommendations from the cyber division of the FBI for mitigating these attacks include:
- Alert customers and employees these attacks are being made and actively monitor accounts for unauthorized access, modification, and anomalous activities.
- Advise customers and employees to use unique passwords that are not being used for any other accounts and to change their passwords regularly.
- Direct customers to change their usernames and passwords upon identification of account compromise or fraud.
- Validate customer credential pairs against databases of known leaked usernames/passwords.
- Modify Internet banking login page responses to remove indicators that reveal the validity of credential pairs by issuing the same error message and response time when both username and password are incorrect or only the password is incorrect.
- Establish company policies to contact the owner of an account to verify any changes to existing account information.
- Establish multifactor authentication (MFA) for creating and updating account information, especially for bank, insurance, and trading accounts, as well as for providing initial account access to financial aggregator services.
- Use anomaly detection tools that identify an unusual increase in traffic and failed authentication attempts.
Credential stuffing is the natural outgrowth of the millions of phishing attacks that have been launched against both individuals and entire organizations. All those stolen credentials become the fuel that enables credential stuffing attacks to be launched at such levels of scale that are nothing less than unprecedented. Savvy cybersecurity teams are finding ways to encourage end-users to regularly change their passwords. Sometimes the best thing that can happen is when an end-user forgets their password because it forces them to change it.
Unfortunately, much of those focus has been encouraging end-user to have strong passwords, many of which still wind up on the Dark Web. Arguably, most organizations would be a lot better off if they just required end-users to change their passwords every few months no matter what. After all, there’s a very good reason why the military routinely changes the password challenges relied on to secure bases.
Of course, there was a time when end users might have resisted that idea. However, as more end-users become aware of how many of their passwords are on the DarkWeb that resistance should hopefully decline, especially if the updating of those passwords occurs as part of a natural extension to a digital business process.
There may come a day when passwords are obsolete. In the meantime, like or not the password remains the first and last line of defense.
Mike Vizard has covered IT for more than 25 years, and has edited or contributed to a number of tech publications including InfoWorld, eWeek, CRN, Baseline, ComputerWorld, TMCNet and Digital Review. He currently blogs for IT Business Edge and contributes to CIOinsight, The Channel Insider, Programmableweb and Slashdot. Mike also blogs about emerging cloud technology for SmarterMSP.