Viewpoints

Credential stuffing fuels turmoil in U.S. elections, Covid-19 relief

Byron Acohido, 16 September 2020

Automated cyberattacks are torching trust in several local systems that we depend on

What do wildfires and credential stuffing have in common?

For several years now, both have flared up and caused harm at the fringes of population centers and our digital economy. And, now, in 2020, both have escalated to catastrophic proportions.

Just after Labor Day, dried out trees and shrubs combined with high winds to erupt into massive wildfires that swiftly engulfed rural towns and even suburban areas of California, Oregon, Washington and several other states. Millions of acres of land got consumed, hundreds of thousands of people were evacuated and dozens lost their lives.

Meanwhile, all year long and continuing through the fall, opportunistic cybercriminals have launched wave after wave of automated credential stuffing campaigns. These bad actors are wreaking havoc in two arenas: Stealing Covid-19 relief payments on a massive scale as well as meddling, once again, in the election of a U.S. president.

The wildfires eventually subsided with calmer, damper meteorological conditions. However, massive surges of credential stuffing have persisted, fueled by a seemingly endless supply of already stolen, or easy-to-steal, personal information along with the wide availability of sophisticated hacking tools.

It behooves us all to pay much closer attention to credential stuffing. After all, neither Covid-19 nor the results of the November presidential elections are expected to be completely resolved for months more to come. Here are a few vital things all consumers, company executives and political leaders should understand about coming waves of credential stuffing.

The scaling up of election meddling

Credential stuffing is a type of advanced brute force hacking. It involves the use of software automation to insert stolen usernames and passwords into web page forms, at scale, until the attacker gains access to a targeted account. A Sept. 10 report from Microsoft details how hacking groups backed by Russia, China and Iran have aimed such attacks against hundreds of organizations involved in both the 2020 presidential race and U.S.-European policy debates.

Further reading: An elections security progress report: Black Hat edition

One Russian hacking group, known as Strontium, aka Fancy Bear, is notable having been identified in the Mueller report as the crew that used a simple phishing ruse back in 2016 to trick John Podesta, then Hillary Clinton’s campaign chairman, into divulging his email username and password. Russia then used Podesta’s credentials to steal and then leak Clinton’s emails – and thus influence the election of Donald Trump.

As a public service, Microsoft has been tracking how Strontium has relentlessly carried on and is seeking to gain a similar foothold inside of Joe Biden’s campaign. As you might expect, the Biden campaign progressed to using much more robust spear-phishing defenses. In response, the Strontium crew has pivoted to using leading-edge credential harvesting and credential stuffing tools, disguised several ways.

Microsoft’s analysts, for instance, documented how the Strontium crew has been routing automated attacks through more than 1,000 constantly rotating IP addresses, the better to help avoid detection. The attackers take pains to refresh this pool of addresses each day adding at least 20 new IP addresses and deleting the same number.

Over the past 12 months, Strontium has targeted more than 200 organizations affiliated with the upcoming election, including political consultants from the major parties in both the U.S. and Europe. Thanks to Microsoft’s proactive role in identifying these attacks and alerting the targeted organizations, many of the attacks of been thwarted. Even so, Strontium isn’t backing down – and no one can say for certain whether 100% of its attacks can or will be deflected.

The same can be said about credential stuffing campaigns being carried out by the Chinese crew, known as Zirconium, which continues to try to crack into both the Biden and the Trump campaigns, and by the Iranian-backed hacking group, Phosphorus, which continues to try to get a foothold in a wide variety of targets, presumably to get into position to retaliate for Trump ordering the assassination of Iran’s General Qasem Soleimani earlier this year.

The plundering of well-intentioned relief efforts

Cyber espionage combatants aren’t the only ones leveraging credential stuffing. Garden-variety for-profit hacking groups are escalating their attacks, as well. There have been at least three concerted campaigns to plunder Covid-19 relief programs, the earliest getting a foothold in the state of Washington in early May, the most recent bedeviling California, with attacks spreading across Canada in between.

These attacks began in early. Workers who remained gainfully employed in Seattle-area businesses and universities started getting notices that their applications for unemployment benefits were under review and would be delayed. Since they were never laid off, and had never applied for any benefits, the notices came as a big surprise.

What happened was the an intricately orchestrated credential stuffing campaign. Washington was the hardest hit of at least eight states targeted by a Nigerian crime ring that move aggressively to take full advantage of ripe opportunities presented by the global pandemic. The cyber criminals reacted to $2.2 trillion of federal stimulus money being put into motion, and states suspending the normal week-long waiting period to distribute initial unemployment checks.

The Nigerian ring simply tapped into the ocean of stolen personal data available for cheap or free on the Dark Net, retained the services of criminals operating “botnets for hire” to insert personal information into online forms, at scale, and then activated tried-and-true money laundering systems to route wired payments into accounts they controlled. In roughly two weeks, the Nigerian crew robbed hundreds of millions of dollars of cash earmarked for legitimately out-of-work citizens, also delaying checks from reaching many laid off workers who legitimately needed the money.

It's totally understandable that government officials skewed toward lax authentication in getting Covid-19 relief payments out very quickly and very broadly. The local officials were caught off guard. Since then, the dire need to improve authentication protocols to withstand crisis attack scenarios has been widely acknowledged. The federal government, for instance, has launched login.gov, a centralized service to access relief programs that supports strong authentication practices. However, this tool hasn’t gained much traction, illustrating, once more, how the wheels of government and corporate bureaucracy churn slowly.

Illicit benefit claims proliferate

Indeed, there is no quick fix. No sooner had the state-level attacks by the Nigerian ring died down than another, similar credential stuffing campaign began to take shape. This time the attackers targeted emergency Covid-19 benefits dispensed under Canada’s Emergency Response Benefit and Emergency Student Benefit programs.

In mid-August, the Canada Revenue Agency was slammed by two attacks, in which stolen usernames and passwords got stuffed into more than 9,000 accounts -- the attackers were able to compromise more than 5,500 of them, a phenomenal 63 percent success rate. Many victims reported that the direct deposit information associated with their accounts got altered and that CERB payments had been issued in their name even though they never applied for any Covid-19 aid.

Then in early September, California lawmakers began hearing from their constituents about oddities occurring with their claims for jobless benefits made through that state’s Employment Development Department. Fresno assemblyman Jim Patterson heard from a resident whose 19-year-old son had his EDD account hacked. The attackers succeeding in accessing the young man’s account to change the mailing address and divert $14,876 of his jobless benefits into their hands.

“Over the years, various data breaches ended up exposing key personal information about U.S. citizens,” says Mounir Hahad, head of the Juniper Threat Labs at Juniper Networks. “The availability of this data, combined with a relatively low barrier to request pandemic-related financial help from some states, has made it very attractive to fraudsters to file illegitimate claims. At the very least, the government should enlist the help of the private cyber security industry to put in place mechanisms to help identify fraud attempts and curtail them.”

I agree. Credential stuffing campaigns will only continue to torch trust in the core systems we need to be able to rely on in order to help us get past this global pandemic as well as to democratically elect a president. There are plenty of free and low-cost security tools that can and should be brought to bear by state and local agencies dispensing Covid-19 aid and carrying out elections. And individual citizens have a responsibility to act as well. We can give up some convenience in favor of more proactively controlling our online privacy and reducing our digital footprints. There’s a lot at stake. Companies and individuals must work together to douse credential stuffing. I believe we can do it. I’ll keep watch.