General Motors (GM) recently announced that it had suffered a cyberattack in April 2022 that exposed some customers' information and allowed fraudsters to redeem reward points in exchange for gift cards. But unlike other high profile breaches, this one wasn’t actually caused by GM getting hacked. Instead, GM was the victim of a credential stuffing attack.
Wait, what is credential stuffing?
Credential stuffing attacks are when cybercriminals use stolen credentials from a previous data breach to gain access to user accounts. Since 66% of people reuse passwords, it’s likely that the credentials stolen from a previous data breach on Site A will work to access an account on Site B — in this case the GM site. Attackers know that passwords are often reused, so they use bots to rapidly test stolen credentials across popular sites. If the bots successfully login, they have a winner!
Once fraudsters identify a valid username and password pair, they can use the credentials to log into — and take over — legitimate accounts. Because the credentials are accurate, there’s a good chance they will get into the accounts without any problems. And since most websites don’t have security checks post-login, the fraudster is free to navigate through and abuse the account, no questions asked.
According to the 2022 Verizon Data Breach Investigations Report (DBIR), there are four key entry points to your digital estate. Credentials are the clear number one, accounting for more breaches than the other three — phishing, exploiting vulnerabilities and botnets — combined. In fact, 67% of basic web application attacks last year involved the use of stolen credentials.
Back to GM
This is precisely what happened at GM. According to the company, “There is no evidence that the login information was obtained from GM itself. We believe that unauthorized parties gained access to customer login credentials that were previously compromised on other non-GM sites and then reused those credentials on the customer's GM account."
But that doesn’t mean GM is off the hook. When bad actors fraudulently logged into the accounts, they had access to the value stored within it — i.e., reward points — as well as users’ personal information, including name, email address, mailing address, profile picture, saved locations, search and destination information, car mileage history, service history, emergency contacts and Wi-Fi hotspot settings.
How much of that information was captured has yet to be determined. What we do know is that the fraudsters redeemed some users’ reward points for gift cards. GM stated that it will be restoring all stolen reward points and recommended that customers check their credit reports and place a security freeze if necessary. The company is also requiring all affected users to reset their passwords. One way or another, this incident has a cost to GM: restored reward points, user support costs, consumer trust and perhaps, reputation.
Credential stuffing on my mind
Here at PerimeterX, credential stuffing attacks are something we think about every day. We are committed to protecting our customers from all types of automated fraud, including credential stuffing. And according to the Forrester Wave™: Bot Management, Q2 2022, we’re pretty great at it.
PerimeterX Bot Defender detects malicious bots and stops real-time automated attacks, including credential stuffing. PerimeterX Credential Intelligence provides an early warning system that flags and prevents the use of stolen usernames and passwords that are known to be actively in use in real-world attacks. But while this layered defense approach is critical and necessary, it is also important to account for the human element — something the Verizon DBIR found was involved in 82% of breaches.
It is no longer enough for websites and mobile apps to rely solely on authentication. Although it is an important barrier for protecting an account, a user is not necessarily legitimate just because they used valid credentials to authenticate. It is still necessary to use behavioral signals and evaluate their actions post-login to ensure the person is who they say they are and that the actions they are taking are legitimate
GM and the web attack lifecycle
Today’s cyberattacks are integrated and cyclical. A data breach on one site fuels credential stuffing attacks in numerous other sites, which in turn, fuel account takeovers and fraud. This web attack lifecycle is ongoing, and GM found itself caught in the middle. But simply restoring the reward points and forcing password resets won’t stop the cycle attacks. Without post-login security checks, all bad actors need is to validate credentials on another site — and there are more than 15 billion stolen credentials and 1.9 billion websites to choose from.
Businesses need to secure the user journey after login and before completing a transaction such as checkout — what we call the post-login wasteland. By analyzing users’ profiles, statistical comparisons and new activity, website owners can determine if an authenticated user is legitimate. They can then decide whether to allow or prevent users from completing an action, such as changing a password or a ship-to location, disabling multi-factor authentication (MFA) or depleting an account of reward points, airline miles, gift card balances, cryptocurrency or other stored value. Post-login safeguards are necessary to prevent fraud and maintain consumer trust.
Don’t drive blind
It’s easy to miss all that is happening in the cybersecurity space. Sign up for the PerimeterX monthly newsletter to get the insights in your inbox. And watch this space to learn more about what PerimeterX is doing to help businesses detect and prevent cybercriminals from using stolen credentials to take over their customers’ accounts.
In the meantime, everyone, let’s learn from the attack on GM: take the time to change your passwords and strive to use a different password for each site. This simple action — like fastening your seatbelt every time you get in a motor vehicle — is a good first step to keeping your identity and accounts safe.