This week’s message for Cybersecurity Awareness Month is about fighting phishing attacks — stopping cybercriminals from tricking people into exposing their usernames, passwords and other personal information. Many of today’s digital consumers are aware of criminal hackers and able to spot their bogus text and email baiting tactics. But they may not know how bots are using last year’s phished usernames and passwords in this year’s account takeover (ATO) attacks.
Nowadays, cybercriminals don’t need to go phishing to catch user credentials; they can buy thousands of them on the dark web with just a few dollars. E-commerce sites can expect $5.4 trillion in e-retail revenues globally next year — and purchasing stolen credentials is an easy way for cybercriminals to get in on the action.
The low barrier to entry of credential stuffing and ATO attacks make them the perfect vehicle for automated fraud. Bot attacks were up 41% in the first half of 2021, and they’re showing no signs of slowing down. Here’s how malicious hackers steal your credentials and gain unauthorized access to user accounts, so you can fight this second generation of phishing.
Phishing is only one form of data theft
Phishing is just one way that cybercriminals can steal credentials. Other methods include social engineering, PII harvesting and formjacking. The former is the umbrella term for the use of deception to obtain credentials. Some examples include vishing, baiting, scareware and spear phishing.
PII harvesting and formjacking are sneakier. Instead of relying on manipulation tactics, cybercriminals insert malicious scripts into vulnerable code to do the dirty work for them. These scripts send the personal information entered into payment forms to criminal hackers to sell on the dark web or use for their own nefarious purposes.
Bots don’t need to go phishing to catch credentials
Hackers have gathered 15 billion usernames and passwords and put them up for sale on the dark web, sometimes offering several billion for as little as $2. Using this information, bad actors can launch a credential stuffing attack, unleashing an army of bots to test username and password combinations by attempting logins across popular websites. They end up with a list of validated credentials, which they can use to steal assets, make fraudulent purchases or sell to others for a profit.
Credential stuffing bypasses the human vulnerabilities that social engineering and phishing ploys must count on to steal user credentials. Unlike brute-force attacks that start by guessing logins from square one, credential stuffing starts off with known usernames and passwords that people have used. This increases hackers’ odds of success and shrinks the time it takes to confirm and gain control of user accounts. Together, these factors make credential stuffing the perfect vehicle for automated fraud.
Hook, line and sinker
With validated credentials, cybercriminals can take unauthorized ownership of accounts and gain access to all that lies therein. This includes money, gift cards, loyalty points, and airline miles, to name a few examples. Cybercriminals can transfer the assets to their own accounts or use them to make fraudulent purchases.
Account takeover attacks can wreak havoc on any digital business. With a major attack, you can expect chargebacks, damage to brand reputation and consumer trust, lower stock value and revenue loss for years to come.
CAPTCHAs don’t keep all the bots out
Many website owners have responded to threats of credential stuffing by using legacy systems like CAPTCHAs to block bots. Designed to distinguish humans from bots, CAPTCHAs appear on login and transaction pages and present a challenge that it believes only humans can solve. Failure to correctly solve the test means that you are blocked from logging into accounts or completing transactions.
Unfortunately, CAPTCHA-solving bots and farms are becoming increasingly widespread. Technology developers have designed even harder CAPTCHA tests, but these only serve to frustrate human users and reduce customer conversion rates.
How to stop the next generation of phishing
You can choose not to respond to a bogus email or click on a phishy link, but it’s harder for individuals to identify and stop hidden attacks like PII harvesting and credential stuffing. So, let software do it for you.
Enter behavioral web app protection. Leveraging a combination of intelligent fingerprinting, pattern recognition and predictive analytics, this software accurately detects and mitigates bot behavior on web and mobile applications, websites and APIs.
Next, it’s time for a CAPTCHA alternative that doesn’t add friction and frustration to the user experience. Effective human verification solutions ease human access to your web applications while stopping bots in their tracks. As a part of a complete behavioral monitoring solution, human verification can easily distinguish bots from human users.
In order to really fight the phish, you need to combat all stages of the attack. This means educating people on all types of social engineering attacks and maintaining a robust security infrastructure. Establish a series of security checkpoints during website development and after deployment, and enable layered protection against cyberthreats to stop attackers at every turn.