Over the last few weeks, Radware has been tracking a credential stuffing campaign targeting the financial industry in the United States and Europe. Credential stuffing is an emerging threat in 2018 that has continued to accelerate over the past month as more breaches occur. Today, a breach doesn’t just impact the compromised organization and its users, but it also affects every other website that the users may use.
Download Complete Alert
Abstract
Over the last few weeks, Radware has been tracking a credential stuffing campaign targeting the financial industry in the United States and Europe. Credential stuffing is an emerging threat in 2018 that has continued to accelerate over the past month as more breaches occur. Today, a breach doesn’t just impact the compromised organization and its users, but it also affects every other website that the users may use.
Additionally, resetting passwords for a compromised application will only solve the problem locally; criminals are still able to leverage those credentials externally against other applications due to poor user credential hygiene.
Credential stuffing is a subset of Brute Force attacks but is different from credential cracking. These campaigns do not involve the process of brute forcing password combinations and leverage leaked username and passwords in an automated fashion against numerous websites to hyjack user accounts due to credential reuse.
Criminals collect and data mine leaked databases and breached accounts for several reasons. Typically cybercriminals will keep this information for future targeted attacks, sell it for profit or exploit it in fraudulent ways.
The current campaign Radware is witnessing is motivated by fraud. Criminals are using credentials from prior data breaches to gain access to a users’ bank accounts. These attackers have been seen targeting financial organizations in both the United States and Europe. When significant breaches occur, the compromised emails and passwords are quickly leveraged by cybercriminals. Armed with tens of millions of credentials from recently breached websites, attackers will use these credentials, along with scripts and proxies, to distribute their attack against the financial institution in an attempt to take over banking accounts. These login attempts can happen in such volumes that they resemble a distributed denial-of-service (DDoS) attack.
Attack Methods
Credential Stuffing
Credential stuffing is one of the most commonly used attack vectors by cybercriminals today. It's an automated web injection attack where criminals use a list of breached credentials in an attempt to gain access and take over accounts across different platforms due to poor credential hygiene. Attackers will route their login request through proxy servers to avoid blacklisting their IP address.
Attackers automate the logins of millions of previously discovered credentials with automation tools like cURL and PhantomJS or tools designed specifically for the attack, like Sentry MBA and SNIPR.
This threat is dangerous to both the consumer and organizations due to the ripple effect caused by data breaches. When a company is breached, compromised credentials will either be used by the attacker or sold to other cybercriminals. Once credentials reach a final destination, a for-profit criminal will use the data or credentials obtained from a leaked site to take over user accounts on multiple websites like social media, banking, and marketplaces. In addition to the threat of fraud and identity theft to the consumer, organizations have to mitigate credential stuffing campaigns that generate high volumes of login requests, consuming resources and bandwidth in the process.