Thanks to all the data breaches and security incidents over the last few years, attackers are sitting on a gold mine of valuable credentials information which they can use to launch credential-stuffing attacks against major Web services and other applications.
Researchers from F5 Networks analyzed a large set of spilled credentials that was available for sale on a Dark Web forum in early 2019 and compared the credentials against usernames used in credential-stuffing attacks against four of its Fortune 500 customers—two banks, one retailer, and a food-and-beverage company. The criminals have large numbers of credentials to try in their attacks, and the collection is large enough that criminals can apply machine learning algorithms to figure out which username and password combination would be the most likely to succeed, the researchers wrote in the 2021 Credential Stuffing Report. Cybercriminals are getting better at guessing passwords variants by looking at credentials with common themes.
“Fuzzing” techniques help optimize credential exploit success as they can check variants of a stolen password as well as the original, F5 said.
Credential stuffing attacks involve attackers working through a list of possible username and password combinations against a range of applications and services to see if any of them actually work. For every one million random combinations of emails and passwords, attackers can potentially compromise between 10,000 and 30,000 accounts. As a whole, credential stuffing has a low success rate—estimates range from between one to three percent (Recorded Future) to 0.2 to two percent (Shape Security)—but it remains a popular attack method because it takes so little effort and is very cheap to execute.
Thanks to bots, stuffing tools, and password databases, these attacks require just a couple hundred dollars and some patience.
The Five Stages
During the course of its analysis, F5 researchers discovered that stolen credentials go through five stages of abuse, from the moment when the attackers acquire the stolen credentials all the way to when the credentials are repackaged and resold to other actors. The report defined credential spill as any “cyber-incident in which a combination of username and/or email and password pairs becomes compromised.”
Attackers tend to be quiet during the first stage, when they are using the credentials to try and establish persistence on the target—such as compromising the machine, taking over key accounts, conducting reconnaissance to learn what is on the network, and harvesting information for other purposes. In F5’s analysis, the attackers used the stolen credentials between 15 and 20 times per day, on average, in attacks against the four victim organizations. The second stage involves distributing the stolen credentials with other threat actors and trying to access accounts on other sites.
Criminals are careful to not trigger any alarms or be obvious they are using the leaked credentials, as they use compromised credentials in stealth mode for roughly a month before they share the credentials with others.
The third stage—when attackers use the username and password pairs in credential stuffing attacks against other targets—is the most damaging, as there is a rush to use the solen credentials before users start changing passwords, F5 said. In the analysis, F5 researchers found that credentials were being used up to 130 times a day.
By the fourth phase, the value of the stolen credentials have dropped, and attackers were tapering off their use to about 28 times per day. The fifth stage is when attackers repackage spilled credentials and try to continue to use them.
Protecting Passwords
Poor password protection remains a big problem. Some 13.3 percent of credential compromise incidents and more than 42 percent of exposed credentials between 2018 and 2020 involved organizations storing passwords in plaintext. About 20 percent of the credential compromises involved weak SHA-1 ciphers, and MD5 hashes was still prevalent among organizations, even though both methods are broadly discouraged because they can be easily cracked.
Users can protect themselves by using multi-factor authentication schemes (where offered) and complicated passwords generated by password managers, but the organizations have to step up their password practices to ensure they are protecting them in a way that even stolen, can't be readily abused.
The fact that attackers use the stolen username/password pairs in credential-stuffing attacks against major Web services and applications is well-documented. In a recent joint paper from Google and Stanford University, researchers found that people who had their account credentials exposed in some kind of a breach had a higher risk of being targeted in an attack. A separate report by Akamai found that over 60 percent of the 100 billion credential stuffing attacks detected over the previous two years targeted retail, travel and hospitality businesses—and 90 percent of those attacks targeted retail.
More than 1.5 billion credential stuffing attacks took place during the fourth quarter of 2020, a 90 percent increase from earlier in the year, according to analysis by Arkose Labs. Once the cybercriminal uncovers a valid username-password combination, that set of credentials will be used over and over again against a variety of targets, no matter how old they are.
Earlier this month, streaming music platform Spotify suffered a credential-stuffing attack, the second such incident in the last few months. In this incident, attackers used a malicious Spotify logger database containing more than 100,000 accounts to target Spotify user accounts. In the earlier incident, in November, 300,000 accounts were affected when an Elasticsearch database containing more than 380 million records and login credentials harvested from multiple sources was used to target Spotify accounts.
F5’s study had one piece of good news: while the overall number of credential compromise incidents more than doubled from 2016 to 2020—from 51 incidents in 2016 to 117 incidents in 2020—the average number of records per incident dropped significantly, from over 63.4 million to around 17 million.