Sidestep Credential Stuffing Through Vigilant Password Protection
Cyberattackers are a resilient bunch. Once organizations improve their cybersecurity to defend one kind of attack, the threat actors come back with a different one.
In yet another reminder of this high-stakes cat-and-mouse game, cybercriminals have decided that brute-force attacks largely don’t work anymore, and they’re now trying their luck with credential stuffing. For years, threat actors succeeded with the crude method of trying a large number of random, eight-word password combinations before finding the correct one to enter into the system they were targeting. Organizations finally thwarted these efforts by blocking multiple attempts into accounts and numerous attempts from the same IP address.
In a display of cyberattackers’ persistence, they went back to the drawing board and are now using a new method to penetrate secure accounts. With credential stuffing, threat actors are still bombarding traditional user ID-password gateways, but instead of trying random combinations, they’re leveraging stolen, legitimate user IDs and passwords.
The cybercriminals are onto something: About 1 to 2 percent of stolen credentials from one site will work on a second site, allowing someone with a list of 1 million pilfered credentials to hijack 10,000 accounts, CSO reports.
Cheap and Easy Credential Stuffing
Security pros stay awake at night knowing cyberattacks aren’t reserved for a select group of criminal masterminds whose wealth allows them to purchase expensive tools. Threats can be carried out by just about anyone with a basic aptitude for technology and an ability to locate cheap or even free tools.
Sentry MBA, a tool to commit credential stuffing, is widely available on the Dark Web and popular with dime-store threat actors because it’s free. Sentry MBA’s graphical user interface also doesn’t require an expansive skill set to carry out a sophisticated attack and allows cybercriminals to use the same stolen credentials on multiple applications.
Sentry MBA can mitigate blacklists, IP rate limits and other traditional online login-form security controls. It can also bypass third-party security measures that a website uses to halt brute-force attacks. If a site has a CAPTCHA mechanism in place, Sentry MBA attempts to bypass it by using Optical Character Recognition software such as Death by Captcha API, so that it can read and solve CAPTCHA challenges.
In late 2015, cyberattackers took Sentry MBA out for a spin by using the tool to make 5 million login attempts on a Fortune 100 business-to-consumer website, according to eWeek. Its use has only increased since then.
Most Organizations Don’t Know They’re Being Stuffed
Just as improved cybersecurity measures slowed the use of brute-force attacks, best practices can also halt credential stuffing. But before anything else can happen, organizations must first see they’re under attack. It’s hard to discern this kind of threat from ordinary login attempts, however, because attackers deploy legitimate user IDs and passwords. Plus, many organizations still don’t even know about the existence of Sentry MBA.
To beat the threat actors at their own game, enterprises must double-down on password protection. With effective training, vigilance and company-wide buy-in, employees can protect their user IDs and passwords by not falling for the phishing scams that place their legitimate credentials in the hands of criminals.
Following best practices for password protection not only lessens the odds of an attack on one account but also reduces the likelihood that other accounts will be targeted. Organizations shouldn’t hand cyberattackers any more ammunition than they can already find on the cheap elsewhere.