Automation has revolutionized cybersecurity. All organizations use automation to perform a slew of repeated and mundane tasks in seconds with utmost efficiency without any manual invention. That includes cybercriminal organizations. Unfortunately for businesses, automation has facilitated the resurgence and upward growth of a devastating classic cyberattack technique that’s been updated for the modern era: credential stuffing.

Compromised credentials fuel attacks:

Businesses and personnel use hundreds of applications and websites for various digital services. Almost all these websites and apps use passwords for user authentication. Users often reuse the same passwords across multiple online services to manage these online accounts. Over 60% of people habitually reuse passwords across multiple sites and applications. While password reuse might be a convenient way for them to juggle through many online accounts, it has made them attractive targets for cybercriminals, who often rightly assume that passwords stolen from one company may provide the keys to a host of other accounts.

Credential stuffing is a cyberattack where threat actors repeatedly attempt to log in to a user’s online accounts using stolen usernames and passwords. Sometimes, those credentials have been stolen in a previous breach. Cybercriminals may purchase credentials files or harvest them from dark web data dumps. However they do it, cybercriminals tap into users’ habit of using the same password for multiple accounts and use it to harm businesses through credential stuffing. Credential stuffing is a hazardous problem for retailers. Attackers used leaked credentials more than 90% of the time in credential stuffing attacks targeting retailers, compared to just under 70% of the time in other industries.

Credential stuffing has leveled up:

There are plenty of password and username pairs for cybercriminals to deluge businesses within the course of a credential-stuffing attack available right now. According to a survey, more than 15 billion stolen credentials are circulating on the dark web, which grows yearly. Automation has made the process of credential stuffing easier than ever for the bad guys. After getting their hands on user credentials, attackers typically leverage software or other automation tools like bots capable of transmitting a sustained barrage of login attempts simultaneously without human intervention. A recent study on retail cybersecurity challenges showed that nearly one-quarter of the traffic on retail websites (23%) was explicitly attributed to malicious bots. Once the bad actors deploy their bots, they have to monitor the operation to see which one unlocks the door and gives them access to a user’s account.

One compromised credential brings serious consequences:

Once cybercriminals can access a user account, they can view the holder’s personal information and leverage it in many damaging ways. Bad actors can use it to launch successful social engineering attacks, sell that information on the dark web, or make fraudulent transactions if they find financial information. Sometimes, they perform account takeovers on the cracked accounts and use them in business email compromise schemes. The technique is the prime culprit in one-quarter of data breaches.

Although most login attempts in a credential stuffing attack fail, a single attack can yield thousands of compromised accounts due to the sheer volume of shots. Automation has enabled bad actors to send more photos than ever at a target over a very short period. With the high likelihood that someone has reused a compromised credential, there’s a high chance that the bad guys will get a hit. The aftermath of a credential stuffing attack can be gauged from the Ponemon Institute’s Cost of Credential Stuffing report, which concluded that businesses lose an average of $6 million per year to credential stuffing in the form of application downtime, lost customers, and increased IT costs.

Three defensive tips to mitigate credential stuffing risk:

Due to the prevalence of credential stuffing attacks, businesses must prepare for an eventuality where such an attack can come knocking down their doors someday. An estimated 81% of data breaches are due to poor password security. Therefore, every company that maintains online customer accounts must take action to ensure that they’re making all the right moves to mount an effective defense against credential-stuffing cyberattacks:

1. One of the most effective safeguards for preventing credential stuffing attacks is multifactor authentication (MFA). It ensures that a user presents two or more credentials when logging in to their account. While most attackers have access to a stolen password, it is improbable that they will have access to other credential types. Microsoft says that 99.9% of cyberattacks can be stopped with multifactor authentication.
2. Regular, comprehensive security awareness training is a stepping-stone for organizations in blocking a credential stuffing attack by cultivating their employees’ security awareness levels. Employees will make better password-related choices and practice better password hygiene if they understand why it matters. Companies can quickly and affordably educate their employees on how malicious actors can leverage password reuse as part of a credential-stuffing campaign. Training also helps them learn the importance of keeping secure, unique passwords for all their online accounts to mitigate the risk of credential stuffing.
3. Compromised credentials are fodder for launching credential-stuffing attacks. Therefore, monitoring the dark web for leaked or stolen information, such as compromised credentials, is essential to reduce the risk of a credential-stuffing attack on a business. Credentials are the top type of information stolen in data breaches worldwide.

Source: ID Agent