Did you know? This is the most used attack strategy by hackers
by Svenja Koch
When the media talk about cyber attacks, they usually refer to "prominent" attack methods. Blackmailing ransomware, highly professional Advanced Persistent Threats or data espionage through social engineering: the more and the more elaborate an IT security challenge, the greater the media interest. Yet neither ransomware nor APTs are among the most frequently used attack strategies of hackers. Rather, the criminals exploit a widespread characteristic of us humans for the most popular form of cyber attack. Namely, the power of habit. In this article, learn how each of us contributes to the widespread use of credential stuffing, why this brute force method is so successful in the first place and, of course, how you can best protect yourself from the attacks.
The power of habit as the basis for credential stuffing
Let's be honest: how many different passwords do you use for the various services on the internet? If you are part of the vast majority for whom IT security is at best a foreign concept, then you will have a preferred password - and use it for several or even all services on the net. Experts have been warning against precisely this approach for years, but man is a creature of habit. In particular, passwords that are considered particularly secure are used far too rarely. Why? Well, the answer is quite simple: secure passwords are hard to remember. And if they are also long and contain special characters, the shopping trip at the "Big A" with a subsequent look at the money balance at the financial service providers and checking the mails in the online mail account quickly becomes an exhausting, annoying typing session.
What is pure convenience for users is like Christmas and a birthday together for hackers. According to a highly interesting study by Verizon, far more than 80 % of all cyber attacks are based on weak passwords. Credential stuffing also mercilessly exploits humanity's love of habit.
So what exactly is credential stuffing?
Credential stuffing belongs to the brute force method - i.e. the cyber attacks that are characterised less by elegance and deviousness than by brute force. Credential stuffing relies on illegally tapped credentials that have found their way into the network either through leaks or targeted cyberattacks. The cybercriminals assume (unfortunately quite rightly) that most users use their access data (the eponymous credentials) for several services. Corresponding lists with countless valid login data can be easily acquired online by cybercriminals. With the lists and sufficient criminal energy, the cyber attackers then start bot networks. These then work through the lists automatically and try to gain unauthorised access to services or systems. Bot networks represent a major challenge for IT security. This is because while mass access attempts from a single computer would catch the eye of even the sleepiest IT security, bot networks reliably disguise their activities. The bots rely on many different, compromised individual computers with different IP addresses - which makes it difficult for IT security to detect the cyber attacks and almost impossible for service providers to reliably defend against them. The successful access attempts of the bot networks are recorded by the cybercriminals. In just a few hours, millions of combinations are tested as part of a credential stuffing attack. The "hits" on active accounts are either used as a basis for further cyber attacks - or simply, conveniently and, above all, lucratively sold on the Darknet.
Brute force method: yes - brute force attack: no
Credential stuffing is counted among cyber attacks with brute force methods, but can still be clearly distinguished from a "real" brute force attack. While a brute force attack involves randomly assigning passwords to a user name and then trying them out one after the other, credential stuffing relies on actually existing, valid combinations of user name and password. Brute force attacks therefore rely on chance - and are thwarted by strong passwords. Credential stuffing, on the other hand, abuses valid access data to gain access to various services. Strong passwords have no relevance here - as long as users use them for several services at the same time.
Credential stuffing: cheap for cybercriminals, sometimes really expensive for victims
Cyber criminals who have set their sights on credential stuffing need neither great IT expertise nor expensive software. The small tools that make the cyber attacks possible are available on the Internet for very little money or even free of charge. The only thing the cybercriminals really need is time. Because credential stuffing is slow. Deliberately slow, because this reliably prevents the bot networks from being detected by IT security.
For the victims, however, an attack with credential stuffing can be really expensive. If the cybercriminals gain access to online shops, they can easily go on a shopping spree - at the expense of the account holder, of course. Cyber attacks are even more fatal if they gain access to service providers that allow money transfers. Here, it is not only likely but very certain that the linked account will be emptied in no time. In this case, the money is irrevocably lost.
Companies also suffer from credential stuffing
Not only end users are affected by credential stuffing attacks, but also the companies where end users have their accounts. Customers who realise that their credentials have been misused naturally (and quite rightly) demand refunds. It is clear that this leads to great economic burdens for the companies concerned. Companies where customer data has been tapped also suffer from an unparalleled loss of trust. It can take years to rebuild customer relationships once they have been disturbed - and high investments may be necessary. The problem of data manipulation should not be underestimated either. Depending on the criminal intent, cyber attackers can change, exchange and manipulate customer data at will. Is any company at all safe from the brutal brute force methods? Unfortunately, no, because as soon as a login function is available - and this is the rule rather than the exception with portals, online shops or financial service providers - cyber attackers can and will target the company in question sooner or later.
The best protection against brute force methods such as credential stuffing is mindfulness!
While cyber attacks via ransomware are perceived as a real threat by companies, credential stuffing is still the "silly little brother" that doesn't really need to be taken seriously. Yet brute force methods pose a far greater risk - simply because credential stuffing and the like require little preparation and little expertise to implement. With small measures, both end users and companies can optimise IT security - and significantly minimise the risk from cyber attacks.
For users, the use of a password manager is recommended. This way, unique, strong passwords can be used for each online service without running the risk of forgetting one or more of the access data. The danger of brute force methods can also be contained with two-factor authentication. With two-factor authentication, in addition to the actual password, a security code must be entered, for example, which the user receives on their smartphone. This may seem annoying - but it deprives cyber criminals of one of the most important points of attack! Another efficient measure to protect against credential stuffing is to change passwords regularly. Also not a task one likes to do. But in any case a real plus for security.
For companies, the defence against cyber attacks with brute force methods is more complex. Because in addition to IT security, companies have to pay attention to a second factor - user-friendliness. What keeps cyber criminals out, namely high requirements for password security and technical measures such as the (universally unpopular) captchas, significantly increase the security of the corporate platform. At the same time, however, the annoyance level rises among users, who could subsequently turn to the competition - who (still) do without increased security. In any case, it is worthwhile for companies to regularly check their users' access data. Specialised service providers on the net take over the query of published lists and check whether access data have been stolen and already published. Last but not least, IT security can also be upgraded internally. IT security systems that can recognise and ward off automated login attempts from bot networks have long been available. They just need to be integrated and deployed.
Passwords are a crux. If they are strong and secure, they are hard to remember - and tedious to enter. Probably all of us, out of convenience and carelessness, tend to use a supposedly "good" (because easy to remember) password for a wide variety of services. However, our convenience - which cannot even be blamed - is an open barn door for cyber criminals of all kinds. Using freely or cheaply available tools and lists full of usernames/password combinations, brute force methods are used that many companies or their IT security simply do not have on their radar. Credential stuffing is not a trivial offence, but can be really expensive - not to mention the damage to the image of the companies affected.
But there is also good news: unlike ransomware or APTs, you don't need highly specialised IT security to put a stop to cyber attacks using brute force methods. The regular changing of passwords, the use of password managers and two-stage authentication procedures still do not make the tapping of user data impossible. But these small measures at least make it more difficult for cyber attackers to carry out their machinations.