By Steven Epstein, Synamedia
Accessing another’s credentials has always been a major goal of hackers or pirates. Typically, pirates would perform phishing or even spear phishing attacks on naïve or unsuspecting targeted individuals. In these attacks, the hacker would send a user a link to some embellished website mimicking a known banking, credit card or other financial site. It would request the unsuspecting user to enter their personal credentials. Once the credentials were entered and transferred to the pirate, the pirate could now perform bank transfers, embezzle money or even take over the victim’s account. These attacks were very costly to financial institutions and other highly secure websites, but not highly effective or scaleable. That’s because in order to be successful, phishing sites required much intelligence to send the proper link to the appropriate users and even so most users did not take the bait.
In the last five years however, a new more scaleable and effective method of accessing another’s credentials has become increasingly popular. This form of piracy, known as credential stuffing, is based on two historical realities:
- In the past 10 years, thousands of identity databases belonging to large websites, have been breached leading to the identity theft of tens of billions of credentials.
- Most people reuse the same credentials (username and password) on multiple sites as a convenient way of remembering them.
Given these two facts, new credential stuffing tools were created to enable a set of bots over proxies or VPNs to discover active breached credentials from a set of popular websites. The diagram below illustrates how credential stuffing attacks are performed.
A pirate purchases millions of username/password combinations (combos) extracted from breached websites, and configures a set of bots, proxies, desired websites and scripts describing login navigation details of each of these desired sites. The pirate then inputs all these artifacts into credential stuffing tools.
The tool then assigns bots to try all of these combos on each of the popular websites, using navigation instructions within scripts, and connect to them via separate proxies or VPNs. In order to go undetected, different IP addresses are used for each malicious attempt! The tool returns a subset of the list of credentials that are still active on each popular site. This attack is effective because most users tend to employ the same username/password combination across most of their websites.