How automated Dark Web marketplaces make credential stuffing attacks more profitable

Validated stolen credentials cost less than a cup of coffee, but economies of scale have made selling user accounts more lucrative than ever, according to Recorded Future.

How consumers can defend against credential stuffing What should consumers be aware of, and what are some steps they could use to identify credential stuffing threats? Akamai's Andy Ellis offers tips to CNET's Dan Patterson.

There is, undoubtedly, a great deal of stuff on the Dark Web. Though marketplaces for buying drugs and weapons hosted on the Dark Web have faced a month of exit scams and shutdowns, countless other marketplaces for selling illicit goods—including website credential—still exist. Specialized marketplaces for buying and selling user credentials have emerged over the last several years, reducing the amount of manual work needed by cybercriminals to profit: Indexes of searchable, validated accounts, can be browsed by potential buyers, with purchases automated by the selling platform.

To replenish these marketplaces, cybercriminals have relied on automated tools for hacking multiple random accounts, according to a report published Thursday by Recorded Future. Though this trend was first observed in late 2014, it continues to grow as platforms for stolen account credentials increase in popularity. Likewise, the maturation of the automated hacking tools, called "checkers," aids the process.

SEE: Dark Web activities: 10 signs that you've been breached (free PDF) (TechRepublic)

Checker software, according to the report, is typically sold for between $50 and $250, depending on the capability of the tool. This software attempts to log in to a website using credentials obtained from databases that are gathered, often, from the Dark Web. Working credentials would be marked as valid, and checkers with more advanced capabilities could automatically scrape linked bank accounts or payment information, account balances, the address of the account holder, or transaction history.

Because this requires no user input after initial configuration, the "set it and forget it" functionality makes this the cybercrime equivalent of the Ronco Showtime Rotisserie.

More robust tools have subsequently been developed, according to the report, "supporting an unlimited number of custom plugins, also called 'configs,' which essentially offered hackers the capability to target almost any company with an online retail presence. What had initially started as several hundred or several thousand compromised accounts quickly ballooned to hundreds of thousands, or even millions, of accounts."

This glut of compromised accounts has brought the asking price for compromised accounts from $10 to "a mere $1 to $2," though "the overall profitability of credential stuffing attacks increased significantly through sheer volume," the report added. Despite this, the success rate for credential stuffing is between 1 to 3%, though the report adds that "the same database could then be reused over and over again to hack dozens of different websites," as users often recycle username/password pairs across different services, "yielding even higher profits."

For more, check out " How credential stuffing contributed to 8.3B malicious botnet logins in early 2018," and TechRepublic's cheat sheet for brute force and dictionary attacks.

Also see

istock-939266168.jpg
stevanovicigor, Getty Images/iStockphoto

By James Sanders

James Sanders is a technology writer for TechRepublic. He covers future technology, including quantum computing, AI, and 5G, as well as cloud, security, open source, mobility, and the impact of globalization on the industry, with a focus on Asia.