How credential stuffing attacks work, and how to prevent them

Credential stuffing attacks pose a significant risk to consumers and businesses. Learn how they work and what you can do about them.

Hacking and phishing concept

Image: peshkov, Getty Images/iStockphoto

There's no shortage of threats on the internet, which puts end users at risk and keeps cybersecurity and IT professionals busy. Credential stuffing is a such risk that can pose a great danger to consumers and business employees.

SEE: Checklist: Security Risk Assessment (TechRepublic Premium download)

I spoke with Sumit Agarwal, co-founder and COO of Shape Security, a cybersecurity organization about the concept. Agarwal served as deputy assistant secretary of defense under President Obama. 
 
Scott Matteson: You came up with the term "credential stuffing" in 2011 when you were at the Pentagon. What is credential stuffing?

Sumit Agarwal: That's right. While serving as Deputy Assistant Secretary of Defense, I observed very complicated cyberattacks affecting publicly facing military websites. I realized it was only a matter of time before those attacks affected the average person's online accounts. I termed these malicious attacks "credential stuffing." 

Credential stuffing is the weaponization of stolen credentials (usernames and passwords) against websites and mobile applications. Lists of credentials stolen from one website are tested against other websites' login pages to gain unauthorized access to accounts, in order to commit fraud. 

The most remarkable aspect of credential stuffing is that a given business does not have to be breached itself to suffer from credential stuffing. The vulnerability is simply having a login form and having users.

There are more than 15 billion stolen credential pairs in the hands of cybercriminals. Criminals can either steal credentials themselves or, more likely, purchase them on the Dark Web. 

Scott Matteson: How does it work?

Sumit Agarwal: Most consumers reuse usernames and passwords across different web and mobile applications. This is capitalized upon for credential stuffing purposes.
 
First, let's discuss the root cause of the problem: Consumers are drowning in security complexity. After many, many years of advice around password complexity (uppercase, lowercase, numbers, special characters, etc.) consumers have responded by selecting just a few passwords that meet all those complexity requirements, and then re-using those passwords across many websites. 
 
Although this practice is terrible from a security perspective, it's understandable. When large businesses ask too much of consumers, they react by finding ways to simplify their lives. So this is the backdrop for credential stuffing—lots of password complexity, lots of consumers who are surviving by crafting a few conforming passwords and then reusing them across more than 30 accounts on average.

Next, it's important to understand that credential stuffing and other automation attacks against web and mobile applications are an economic pursuit for cybercriminals. They operate like businesses, striving for specific profit margins, and there's an entire underworld industrial complex that has been developed to support their criminal attacks. 

Credential stuffing is a volumetric attack: The attackers know they will enjoy success rates of upwards of 1 in 100 (which may sound low to the average person, but if you multiply by 10M attempted credentials, yields 10,000 successful account takeovers, which are worth easily $100 to $1,000 each). 

To serve the economic objectives of the criminal attackers, the criminal industrial complex has developed three elements that power their attacks:

  • Inexpensive credentials, typically stolen through large-scale data breaches, and then sold to criminals on the Dark Web. In January 2019, billions of stolen credentials were posted on the Dark Web for free download in a cache called Collections 1 through 5.

  • Purpose-built attacker tools, or repurposed QA tools that automate the process of machine-gunning login credentials at web and mobile applications. Sample credential-stuffing toolkits include Sentry MBA, Wget, cURL, PhantomJS, Selenium and Sikuli. Most attack toolkits are free or very low cost, and also offer pre-built configuration files that tailor attacks for specific popular sites and apps for as little as $50 per site. 

  • Botnets and other simulated network infrastructure, so that attack traffic appears to originate organically from real users across a "normal" geographic area (say, the Western United States), instead of all from one IP address in the Ukraine or the Philippines.

The automation provided by these components is key to the criminal economic model for credential stuffing.

Shape defeats the economics for cybercriminals, making credential stuffing and other automation attacks prohibitively expensive for criminals to sustain on protected websites and mobile applications.

Scott Matteson: What are the goals and motivations behind it?

Sumit Agarwal: Economic gain through theft, fraud, and deception. One study estimates that cybercrime revenues hit $1.5 trillion in 2018. This is an entire shadow economy larger than many legitimate nation-states.

Scott Matteson: Where is this threat most prevalent?

Sumit Agarwal: As an economic endeavor, cybercriminals attack where the money is. The threats are most prevalent in large B2C verticals, including financial services, retail and ecommerce, travel and hospitality, telecommunications, media, government, social media, and entertainment.

Scott Matteson: Who is behind the threat?

Sumit Agarwal: Cybercriminals are behind the threat. Typically these criminals operate outside of the United States, with prevalence in the developing world.

Scott Matteson: How should companies protect themselves from it?

Sumit Agarwal:  Here are four things companies can do immediately to protect themselves:

  1. Realize that you likely are at risk—or already under attack—if your web or mobile applications provide an opportunity to buy or exchange anything of value. 

  2. Monitor your business metrics for signs that you may already be experiencing credential stuffing or other automation attacks, including poor or declining login success rates, high password reset rates, or low traffic-to-success conversion rates. 

  3. Analyze the hourly pattern of traffic to your login and other attackable URLs for traffic spikes or volume outside of normal human operating hours for your markets: Real users sleep, automated attacks do not.

  4. Get infosecurity, fraud, and digital teams in a room to discuss the possibility of automation attacks, current fraud trends, and digital metrics. 

Also see