An inside look at how credential stuffing operations work

Data breaches, custom software, proxies, IoT botnets, and hacking forums -- all play a role.
Written by Catalin Cimpanu, Contributor
Credential Stuffing

Credential stuffing attacks are one of today's most prevalent threats to online businesses everywhere.

But despite this threat rising on everyone's radar in the infosec community, very little is known about how criminal groups are performing these attacks.

What is credential stuffing

Credential stuffing is a term used by the cybersecurity industry to describe a particular type of automated attack against a website or application's login system.

It relies on a hacker taking username-password combos that have been leaked via data breaches at other companies, and attempting to use these leaked credentials in the hope of gaining access to accounts on other sites -- exploiting users' habit of reusing usernames and passwords across multiple online services.

Also: This hacker has stolen over 932 million user records from 44 companies

Credential stuffing is a relatively new attack vector and has been fueled by the huge leaks of user credentials that have taken place since 2016, after hacks at LinkedIn, VK.com, Tumblr, Twitter, and many other major platforms.

Hundreds of millions of username and password credentials were dumped online in 2016, and other leaks have continued to pop up regularly since then, supplying fresh cannon fodder for criminal gangs to use for their attacks.

The hackers and the tools

To carry out a credential stuffing attack, hacker groups only need three things: leaked credentials, a software app, and proxies.

Leaked credentials are not a problem. Most of this data is either already available in the public domain, or available for sale on hacking forums and dark web marketplaces.

A software app that parses lists of old credentials and automates login operations on remote websites is also not a problem. In fact, there are at least six such tools that hacker groups can buy online, according to a Recorded Future report, which include the likes of STORM, Black Bullet, Private Keeper, SNIPR, Sentry MBA, and WOXY.

STORM tool
Image: Recorded Future
Black Bullet
Image: Recorded Future
Private Keeper
Image: Recorded Future
Image: Recorded Future
Sentry MBA
Image: Recorded Future
Image: Recorded Future

These tools are all dirt cheap, and they're rarely sold for anything more than $50. Some were designed for checking one account at a time (but have been modified for credentials mass-checks), while others have been built or rebuilt from the ground up with credential stuffing in mind -- such as SNIPR and Sentry MBA.

The proxy botnets

But these tools would be useless if used without a veil of proxies that can take the avalanche of login requests and spread it across hundreds of thousands of IP addresses.

If a hacker used any of these tools from a single IP address, online providers (or web firewall products) would blacklist that IP after a few failed tries. Because of this, using a proxy with any of these tools is obligatory.

Getting a hold of a batch of proxies isn't very difficult. In fact, it's probably the easiest of the three primary tools that a hacker can get. They're incessantly advertised on hacking forums, via XMPP spam, on the dark web, or closed cybercrime forums, and have been for years.

They're also extremely cheap, and available in multiple configurations and options. Some of these are hacked servers, some are mobile and desktop devices infected with malware, and some are home routers and IoT devices.

A basic guide to diving in to the dark web

Hackers will use what they can get, when it comes to proxies, but the vast majority of credential stuffing attacks are currently being carried out via IoT botnets, ZDNet has learned.

TheMoon and Linux.ProxyM are the names of two botnets that have been blamed for relaying credential stuffing attacks through the IoT devices and routers they infected.

Two US internet service providers have told ZDNet that they've seen their own customer on-premise (CPE) routers participate in credential stuffing attacks.

CenturyLink, a third ISP, confirmed to ZDNet in a previous interview in January that TheMoon had been carrying out credential stuffing attacks since the start of 2018.

"We witnessed multiple credential stuffing victims over the next couple of months," Mike Benjamin, head of Black Lotus Labs, the threat research and operations division of CenturyLink, told us. "While we would like to avoid naming victims, describing a few of them may be helpful to understand the nature of these attacks: a bank, an online retailer, a restaurant chain, a video streaming service."

The credential stuffing "economy"

The reason why hacker groups are carrying out such attacks is because they can make money by hijacking real users' accounts, which they later put up for sale on hacking forums or online shops dedicated to selling hacked data.

Image: Recorded Future

Other criminal groups buy these accounts and reuse them for various purposes. For example, "cracked" Netflix accounts are re-sold as part of Netflix pirating services; "cracked" PayPal profiles are sold to money mules who empty accounts of all funds; while "cracked" Amazon accounts are used to place fraudulent orders using payment card details already attached to the user's profile.

If there's any way a hacker or a fraudster could abuse a user's account, then that company will likely face a credential stuffing attack at one point or another.

And hacker groups have been launching credentials attacks against all sorts of accounts, regardless if they're a small mom-and-pop shop, or an Alexa Top 100 web portal.

Companies like ad blocker AdGuard, banking giant HSBC, social media site Reddit, video sharing portal DailyMotion, delivery service Deliveroo, enterprise tool Basecamp, restaurant chain Dunkin' Donuts, and tax filing service TurboTax have all publicly acknowledged being on the receiving end of credential stuffing attacks, where hackers had gained access to some accounts.

Targeting more than just public websites

Furthermore, hacker groups are also using these attacks to gain access to private websites that don't even have huge userbases. For example, credential stuffing attacks have also been aimed at WordPress sites, some of which don't even allow user registration. Nonetheless, hackers are using credential stuffing in attempts to guess the admin account's password, so they can take over the site and use it in other malware distribution campaigns.

Similarly, credential stuffing attacks have been seen aimed at RDP, Telnet, and SSH endpoints, showing that servers and normal workstations can be targeted just as well as websites.

Albeit no company has ever admitted to getting hacked this way, corporate intranets or any other enterprise app are also vulnerable to these types of attacks.

Protecting login forms

With credential stuffing operations believed to be generating tens of billions of login attempts every year, this is a threat that companies should not be ignoring, especially those active in the financial, retail, and multimedia sectors, which, according to Akamai, have been targeted more than other verticals.

The way companies can thwart credential stuffing attacks is quite simple and involves deploying two-factor authentication to add an extra layer of security to user accounts.

Data leaks: The most common sources

More cybersecurity coverage:

Editorial standards