Don't Get Cooked by Cybercriminals This Thanksgiving

As the holiday season approaches, the word “stuffing” most likely conjures up images of a Thanksgiving meal with friends and family. However, in the world of cybersecurity, stuffing has a much less idyllic connotation, one that is associated with malevolent hackers using compromised login credentials from past data breaches to gain access to our accounts. To avoid this dangerous threat, it’s important to learn about how it works and how to take the necessary steps to protect yourself from falling prey to it.

• What is credential stuffing?
  
  • Credential stuffing begins when a cybercriminal obtains a database of previously compromised credentials (usernames and passwords) from the dark web, sourced from a previous data breach. The pilfered credentials are then used against a multitude of targets such as banking websites to gain unauthorized access. Every time there’s a new data breach where credentials are exposed, the stolen login information is quickly disseminated to the Dark Web, providing fresh ammunition for future credential stuffing attacks.
• How are the stolen credentials entered into the target websites?
  
  • Since manual entry of credentials is a laborious and time-consuming process, hackers utilize automated tools such as high-speed login bots, allowing them to flood targets with thousands of login attempts per second.
• If a target is receiving thousands of login attempts from the same user, why don’t they simply lock out that user’s account, preventing these attacks from ever achieving their goal?
  
  • Hackers know that credential stuffing attacks must look as though they are typical network traffic, so they have devised ways to circumnavigate lockout capabilities. To obfuscate millions of login requests abruptly originating from a single IP address over a brief period of time, hackers utilize proxy service providers that allocate login requests across a multitude of IP addresses. To most targets, this tactic avoids the raising of any red flags, allowing cybercriminals an almost unlimited ability to gain access to an account. Once they gain unauthorized access to an account, the attacker can then make unauthorized purchases, drain accounts by transferring funds, or worse.
• Why are credential stuffing attacks so successful?
  
  • The average user has more than 70 accounts for various applications and websites. According to an analysis performed by the security company SpyCloud, the average person’s password reusage rate is almost 60%, meaning that the same set of credentials are used for several different accounts. Because of this propensity to recycle the same credentials multiple times, once a hacker acquires a set of stolen credentials, there is a high percentage chance they can gain access to dozens of their victim’s accounts.
• Are these types of attacks common?
  
  • There are a vast number of well-known companies whose breaches were caused by credential stuffing attacks, including Nintendo, The North Face, Zoom, and Uber. While credential stuffing accounts are prevalent across all industries, the financial sector has been particularly impacted. According to the FBI, credential stuffing attacks accounted for more than 40 percent of security incidents against the financial industry from 2017 through 2019.
• How can you protect yourself from these attacks?
  
  • The closest approximation of a silver bullet against credential stuffing attacks is multi-factor authentication. By requiring a secondary authentication requirement (e.g., acknowledging a prompt on your phone) in addition to entering a password, the threat of a stolen set of credentials is rendered exponentially less dangerous. Additional ways to fortify your defenses against credential stuffing attacks include strong, complex passwords that are different for each account and changed on a regular basis. Since the process of managing so many sets of credentials can prove daunting, consider enlisting the aid of a password manager application.

Be sure to take the proper precautions to avoid credential stuffing to help make your Thanksgiving a happy (and safe) holiday!

For more information on how you provide cybersecurity awareness to your team and significantly reduce the chance of your business becoming the next victim of a cybercriminal, contact Kevin Ricci at kricci@citrincooperman.com or Michael Camacho at mcamacho@citrincooperman.com.