Twin terrors: The rising threat of credential stuffing and account takeovers

Byron Acohido 15 Oct 2019

Darknet tandem takes full advantage of Big Data, high-velocity software, and automation

A pair of malicious activities have become a stunning example of digital transformation – unfortunately on the darknet.

Credential stuffing and account takeovers – which take full advantage of Big Data, high-velocity software, and automation – inundated the internet in massive surges in 2018 and the first half of 2019, according to multiple reports

Credential stuffing is one of the simplest cybercriminal exploits, a favorite among hackers. Using this technique, the criminal collects your leaked credentials (usually stolen in a data breach) and then applies them to a host of other accounts, hoping they unlock more. If you’re like the majority of users out there, you reuse credentials. Hackers count on it.

A new breed of credential stuffing software programs allows people with little to no computer skills to check the log-in credentials of millions of users against hundreds of websites and online services such as Netflix and Spotify in a matter of minutes. The sophistication level of these cyberthreats is increasing, and there’s an ominous consensus gelling in the cybersecurity community that the worst is yet to come.

“We’ve observed significant growth in credential stuffing and account takeovers for several years. It’s hard to see a short-term change that would slow attempts by attackers,” Patrick Sullivan, Akamai’s senior director of security strategy, told me. “Significant changes to authentication models may be required to alter the growth trajectory of these attacks.”

In terms of wreaking havoc, credential stuffing and account takeovers are just getting warmed up. Here are a few important things everyone should understand about these twin emerging threats.

New way to buy and sell 

In late 2014 and early 2015, dark web storefronts suddenly caught fire. New e-commerce platforms, modeled on the merchant services of eBay and Amazon, started to gain serious traction in the cyber underground. 

Almost overnight, the old ways of darknet commerce, in which buyers and sellers negotiated and executed deals on a peer-to-peer basis, became obsolete. A Recorded Future report describes what unfolded: “With the advent of automated shops, the need for manual engagement was eliminated and the business of compromised accounts fully transitioned from peer-to-peer dealings to a much more democratized, open-to-everyone enterprise.” In short, the new dark web storefronts enabled criminal business models to form. 

Enter bots and botnets. A bot is a computing nodule with a small bit of coding that causes it to obey instructions from a command-and-control server. A botnet is a network of thousands upon thousands of bots under control of an attacker.

Botnets factored into the plundering of personal data from the likes of Capital One, Marriott and Equifax. In prior years, marquee financial institutions, healthcare firms, media companies, tech giants and government agencies likewise disclosed major data breaches aided and abetted by botnets.

Thanks to botnets, if you’ve ever patronized any of the hacked enterprises, your personal data, including your favorite usernames and passwords, have probably been stolen several times over. Rapid 7 estimates that there are upwards of 1.5 billion stolen username and password pairs circulating in the darknet. 

Threat actors are always innovating fresh ways to monetize stolen usernames and passwords. So when the new storefronts came along, automation and scaling up of the distribution of account credentials quickly followed.

What emerged was a full-blown ecosystem to support the monetizing of stolen credentials. 

New life for botnets

Of course botnets continue to be the engine that drives all manner of online criminal activity. The rise of darknet storefronts – and the escalation of credential stuffing and account takeovers -- has breathed new life into them. 

Many botnets have been repurposed to concentrate on injecting stolen logins, acquired in bulk at the new storefronts, into targeted websites. Botnets are perfectly suited to do this non-stop, 24x7, until a match is found, and unauthorized access is gained.

In 2018, Akamai observed an average of more than 100 million bogus sign-on attempts every day, including three peak days where credential stuffing attempts topped 250 million – some 30 billion all told for the year. The attacks targeted a range of sectors, from media and entertainment to retail and gaming. 

Akamai’s Sullivan points out that three converging drivers are behind the intensification of credential stuffing and account takeovers.

First, he noted, consumers are fond of reusing usernames and passwords across multiple sites. Second, hundreds of millions of stolen logins, including older ones pilfered in breaches years ago, remain readily available, and may still have criminal value. Finally, today it takes minimal tech know-how to obtain and use low-cost credential stuffing tools and services, including off-the-shelf infrastructure. 

“Like much of the criminal ecosystem, as well as legitimate business, there is evidence of specialization taking place,” Sullivan says. 

Nimble attack tools

Digital transformation is said to be all about the rapid development of nimble, high-functionality software – a description that fits credential stuffing and account takeover software. For instance, a very popular cracking tool called STORM is distributed free on several forums. It’s a credential stuffing tool that also detects and disables any anti-malware mechanisms the website owner might have in place. Another popular all-in-one tool, called SNIPR, makes it child’s play to aim a credential stuffing campaign against gaming networks and video-streaming services. Yet another, Sentry MBA, is designed to defeat Captcha challenges, as well as get around two-factor authentication.

For some attacks, threat actors use a toned-down tactic, called “password spraying.” To avoid triggering hard limits put on the number of log-on attempts, the attackers direct a comparatively low number of login tries at the targeted server, methodically combining known company usernames with weak passwords, in spray bursts, until they get a match. 

Examples of attacks on companies

The Florida-based software firm Citrix lost sensitive business documents in just such a hack. Citrix didn’t know its server had been breached until notified by the FBI, which did not disclose how it learned of the attack.

HSBC publicly disclosed that it was the target of a major credential stuffing attack, which  forced it to suspend the online accounts of an undisclosed number of bank patrons. French video hosting company DailyMotion had to shut down its website temporarily due to a massive credential stuffing attack. Users of the news-sharing website Reddit found themselves locked out of their accounts while hackers stole their data. And the Dunkin Donuts chain was shaken by two major credential stuffing attacks in three months.

Compliant victims

There have been numerous other disclosed credential stuffing hacks. A glimpse of the dynamic nature of such attacks comes from Akamai’s report. In early February some 620 million usernames, passwords, and other records – pilfered from 16 organizations – went up for sale on the darknet. 

From the attackers’ perspective, the investment of resources is nominal and the risk of getting caught minimal. Meanwhile, the money to be made is ample because victims are unprotected.

According to the Verizon Data Breach Investigations Report, over 70% of employees reuse passwords at work, even as some 81% of hacking-related breaches pivoted off either a stolen or weak password. Research done by Digital Shadows, meanwhile, finds that one password can crack dozens of accounts owned by the same person.

Yet it requires only a small cash stake for anyone with criminal intent to get into the credential stuffing business. Powerful all-in-one tools, like STORM and SentryMBA, are free. Purchasing a large dataset of stolen credentials and leasing a botnet to run a stuffing campaign can run from under $1,000 to a few thousand dollars, depending on how extensive an attack you want to sponsor. 

For instance, all of the data, tools and services required to inject 3.8 million logins into targeted websites can be purchased by anyone for $2,999, according to Digital Shadows. And a comparatively small-scale attack testing 100,000 logins over the course of one week can be launched by anyone for $550, according to Recorded Future.

Recorded Future’s report extrapolates a conservative success rate of 2.5% of the stuffing attempts using the 100,000 logins actually opening live accounts on websites like Amazon, PayPal, eBay, Expedia, Airbnb and FedEx. The gross payoff would be $19,000.

What lies ahead

That’s just at the ground level. To make this ecosystem work, someone is paying the ground floor credential stuffer anywhere from 50 cents to $3 for a validated login. These next-tier threat actors are the ones who are actually using the validated logins to take over accounts. 

At the moment, valid logins for banking, retailing, gaming and media entertainment websites are in high demand, according to Akamai. Account takeovers provide the basis for committing various types of account fraud, while also giving the attacker a toehold to potentially hack deeper into the website.

There is also another new type of malicious activity enabled by account takeovers. It involves manipulating the business logic of customer-facing applications. Airlines, for instance, are in a continual battle against a variant of this type of account takeover, called “seat spinning.” This is where the attacker, logged on as a valid customer, places a ticket on hold in a shopping cart as if buying it, but does not do so until selling that ticket for a higher price through another service. 

One way to choke off credential stuffing and account takeovers would be for individuals to improve their password security habits and companies to replace passwords altogether, with a robust form of identity verification. But that’s not likely to happen right away. Talk more soon.

--> -->