Let’s play a game. Below are clues describing a specific
type of cyberattack; can you guess what it is?
- This cyberattack is an automated bot-based attack
- It uses automation tools such as cURL and PhantomJS
- It leverages breached usernames and passwords
- Its primary goal is to hijack accounts to access sensitive data, but denial of service is another consequence
- The financial services industry has been the primary target
Struggling? We understand, it’s tricky! Here are two more
clues:
- Hackers will often route login requests through
proxy servers to avoid blacklisting their IP addresses - It is a subset of Brute Force attacks, but
different from credential cracking
And the Answer Is….
Credential stuffing! If you didn’t guess correctly, don’t
worry. You certainly aren’t alone. At this year’s RSA
Conference, Radware invited attendees to participate
in a #HackerChallenge. Participants were given clues and asked to diagnose
threats. While most were able to surmise two other cyber threats, credential stuffing stumped the majority.
[You may also like: Credential Stuffing Campaign Targets Financial Services]
Understandably so. For one, events are
happening at a breakneck pace. In the last few months alone, there have been
several high-profile attacks leveraging different password attacks, from
credential stuffing to credential
spraying. It’s entirely possible that people are
conflating the terms and thus the attack vectors. Likewise, they may also
confuse credential stuffing with credential cracking.
Stuffing vs. Cracking vs. Spraying
As we’ve previously
written, credential stuffing is a subset of brute force attacks but is
different from credential cracking. Credential stuffing campaigns do not
involve the process of brute forcing password combinations. Rather, they
leverage leaked username and passwords in an automated fashion against numerous
websites to take over users’ accounts due to credential reuse.
Conversely, credential cracking attacks are an automated web attack wherein criminals attempt to crack users’ passwords or PIN numbers by processing through all possible combines of characters in sequence. These attacks are only possible when applications do not have a lockout policy for failed login attempts. Software for this attack will attempt to crack the user’s password by mutating or brute forcing values until the attacker is successfully authenticated.
[You may also like: Bots 101: This is Why We Can’t Have Nice Things]
As for credential (or password) spraying,
this technique involves using a limited set of company-specific passwords in
attempted logins for known usernames. When conducting these types of attacks, advanced
cybercriminals will typically scan your infrastructure for external facing apps
and network services such as webmail, SSO and VPN gateways. Usually, these
interfaces have strict timeout features. Actors will use password spraying vs.
brute force attacks to avoid being timed out and possibly alerting admins.
So What Can You Do?
A dedicated bot
management solution that is tightly integrated into your Web Application
Firewall (WAF) is critical. Device fingerprinting, CAPTCHA, IP rate-based
detection, in-session detection and terminations JavaScript challenge is also
important.
In addition to these steps, network operators should apply
two-factor authentication where eligible and monitor dump credentials for
potential leaks or threats.
Read “Radware’s 2018 Web Application Security Report” to learn more.
Download Now