Credential stuffing attacks on web applications have grown significantly in recent years. PerimeterX CTO and co-founder Ido Safruti and director of cybersecurity research Liel Strauch recently joined us to discuss credential stuffing attacks, also known as brute force attacks and account takeover attacks. Listen to the full podcast episode here.
Let’s go back to basics. In order to understand what credential stuffing attacks are, we need to establish context with other closely related terms. Brute force attacks, account takeover and credential stuffing are often used within the same breath. What are brute force attacks? What do businesses need to know about them?
Ido: Brute force attacks are where an attacker or malicious actor leverages machines or automation in order to go through a big set of tasks. They repeatedly try to take a large set of stolen credentials from a database or other list and go “brute force” on trying to figure out which of them work on a site — rapidly testing which of them are valid or not.
We’ve discussed account takeover attacks on the podcast previously when discussing user verification, top threats, and other vulnerabilities. It seems like these attacks are happening everywhere. So again, let’s establish context for credential stuffing with the basics: what is account takeover?
Ido: Account takeover is a more sophisticated instance of a brute force attack where the cybercriminal is specifically targeting account credentials in order to take over an account. In these specific cases, the attacker will leverage large data sets of users’ password combinations. There are billions of such credentials that have been leaked throughout the last few years that are available for purchase on the dark web or in other ways. These are popular sources to take login credentials for testing and validation.
Data breaches can result from a single machine going very fast, which is typically easier to find than the more advanced attacks that are leveraging an army of sometimes hundreds of thousands of different bots and machines, distributing the load between them to make it harder to distinguish the source. This also allows data breaches of higher volume to occur.
In many cases, cybercriminals will also go through multiple sites simultaneously to spread the load even further, to make it even harder to detect. So if they have a capacity of a million login requests per hour, they can send them all to one site, but that would make it more recognizable. Alternatively, they can split it between thousands of different sites, covering a much bigger surface and making the attack harder to detect.
Account takeover attacks can be referred to with another term — credential stuffing attacks. For the uninitiated, what is credential stuffing?
Ido: Credential stuffing is another way of looking at these same attacks. Think of a brute force attack that aims specifically at credentials, where you would want to test credentials in a specific place where you can validate them. That is credential stuffing.
Liel, you’re on the front lines with what the PerimeterX research team is seeing. What kind of numbers do businesses generally see in terms of brute force, account takeover attacks and credential stuffing attacks?
Liel: We have seen enormous numbers of login attempts that have been blocked, or in other words, account takeover attacks that we have prevented. PerimeterX blocked 61 billion bots, and out of those, mitigated 2.3 billion account takeover attempts in the month of September 2020 alone. Moreover, we are seeing account takeover attempts taking up to 90% of the total login attempts for some of our customers’ traffic. This can reach even higher than the normal human traffic out of the total login attempts.
There was a recent SEC alert on an increase in credential stuffing attacks. What can you tell us about this?
Ido: What we're seeing on our network, and in the stats that Liel shared for the month of September, is that these attacks are constantly growing in volume. We’re seeing a deluge of account takeover. It’s hitting across all verticals, and we're seeing it grow continuously month over month for the last few years. There's good reason to say that attackers are getting a lot of value from it. They're being more efficient on how they can monetize a breached account if they have an account for a retailer or other website. This growth in activity is also specifically hitting financial services.
This is why the SEC has issued such an alert. It clearly means that they're seeing growth in attacks on financial institutions. And they're providing guidance on the recommended measures financial services, or any site, should take to make data breaches harder and to stay secure. It’s important to deploy layers like anti-bot technology as well as enforce two-factor authentication or multi-factor authentication (MFA) — anything that will make it harder for these attackers to breach. These are very high-value attacks. For instance, unlike taking my account on Netflix, if you were to take my bank account, then obviously the financial damages could be much more significant for me and for the institution.
At the time of recording this, we’ve just passed the first big milestone of the 2020 holiday shopping season with the Black Friday and Cyber Monday weekend. What credential stuffing and account takeover-related attack patterns are we seeing now on e-commerce businesses that might continue through the end of the year?
Liel: In parts of our system, we see two to three times more malicious login attempts than the human attempts. This time of the year is highly subject to malicious campaigns and attacks, which I expect to see following us for the rest of the year. We also see the increase following the human attraction to the site. If there is a campaign or a sale that follows with a spike of “good” users, you would likely see the bots trying to follow that pattern in hopes of getting lost in that general increase of traffic.
This is something we've seen happening with both account takeovers but also with carding and other types of attacks that happen specifically during the holiday season in a bigger ratio. Since the beginning of November, the month of the holiday sales, we have mitigated 2.8 billion login attempts, which is half a billion more attempts than the month before. And during the holidays we have mitigated 7.8 billion bots and 610 million login attempts, which means the numbers are high.
What are some best practices for protection for businesses approaching the holidays this year?
Ido: The first step is awareness. Even before mitigating, you should look at logs and have your controls and reporting in place, so that you can identify and be aware if such attacks are happening. When talking about login traffic, it’s best to have a large set of stats that you can easily monitor that can give you a good indication of how severe the situation is for you. You should look for the sources of users and where they're coming from.
One common indication of an account takeover campaign is failed logins. Most legitimate users login once and then remain logged into their session for several days or more. In these cases, most of the traffic is malicious and most of the credentials that attackers are guessing are likely going to fail. Sometimes half a percent to one percent of logins are successful, which is considered a high percentage. If you have an exposed login API and are under account takeover, then you should expect to see a very high volume of failed logins.
Now, once you identify that this is the case, there are different measures you can take in order to protect your business. In order to protect your customers, even if it’s optional, enable multifactor authentication. Enable it either through an app or through a text message for users who want to increase their security. For retailers and for most consumer based applications, a mandatory requirement for MFA to fulfill purchases will not come anytime soon. But it will still provide added security for those users who want to.
Once looking at the logs and assessing the severity of the situation, you can more likely assess how sophisticated and how hard the bots are hitting your website or web app. This is where I would recommend going to a bot mitigation vendor to help provide automated protection. That will provide more sophisticated and complete protection when looking for behavioral patterns, helping identify humans versus bots, and blocking bad actors.
For more information on account takeover attacks, visit our threat information page.