Minute Details You Should Have Known Regarding Credential Stuffing |
Posted: July 6, 2020 |
Credential Stuffing is one of the most recent topics for people roaming about in the dark web websites. As the name states, it seems to be a little dicey and cannot be considered as legal. What is it or do they pose any threat to the credentials? We will find out as we decipher facts in this article. What is Credential Stuffing?Credential stuffing can be termed as the automated use of the collected credentials (login Id or usernames and passwords) aiming to gain fraudulent accesses to the received user accounts. The hackers have a rich collection of billions of the login credentials over the past couple of years resulting from the data breaches. These credentials stimulate the underground economy. They are used for everything possible - from spamming to phishing in addition to the account takeovers. Credential stuffing trends are one of the most customary ways the cybercriminals take advantage of the stolen usernames and passwords. This method can also be defined as a brute-force attack technique. The significant way is to utilize the lists of known valid credentials that are obtained from the data breaches instead of trying to guess the passwords through dictionaries of usual word combinations. Why is the stuffing of credentials considered the best? This is because it results in the attacks, which are much easier to execute having a higher success rate. The apparent reason for this is the vast masses of people reusing their passwords across diverse websites. Thus, the credentials that are stolen from the low-profile websites bear high chances of working on the services that hold more sensitive data. The Enormity of Credential StuffingAmongst several data breach notification services, HaveIBeenPwned.com (HIBP) is one of them that tracks more than 8.5 billion compromised credentials from 410 data breaches and more. The service solely includes the credentials from the public data sets or that they have been broadly distributed on the underground forums. There are also specific database dumps that have remained private and are just available to the tiny group of the hackers. The automated credential stuffing attacks are supported by a whole underground economy based on the stolen credentials sale and specialized credential stuffing tools. These tools made available utilize the so-called “combo lists” that have been combined from the various data sets, soon the hashed passwords found in the leaked databases have been cracked. This indicates that such attack launch does not require any extraordinary knowledge or skills. This can be virtually done by anyone who owns a few hundred dollars to purchase these tools and data. Detection & Mitigation of the Credential Stuffing AttacksBotnets and automated tools bought from the credential stuffing Github are used to launch the attacks that support proxy usage distributing the rogue requests across diverse IP addresses. Moreover, the attackers often configure their tools to disguise as the real user agents (the headers identifying the browsers and the operating systems or OS web requests are made from). All of these makes credential stuffing defence pretty hard, and they fail to differentiate between the legit and illicit login attempts; specifically on the high traffic websites where a sudden influx of the login requests are quite regular. That being said, a surge in the login failure rate in a concise time period can be flagged as a credential stuffing attack in progress. Some of the commercial web applications firewalls and services implement the more advanced behavioural techniques in order to detect any suspicious login attempts, the website owners can also take preventive measures from such attacks. One of the most effective mitigating steps is the implementation and encouragement of the use of multi-factor authentication or MFA. Although this is not the ultimate mitigation procedure, yet it can be considered as one of the main preventive measures. Alongside this, many large companies have also proactively started to take part in monitoring the data dumps and check for the impacted email existence in their systems. Another thing is to stay at bay from reusing one password multiple times, even on the same website.
|
|||||||||||||||||||||||||||||||||||||
|