Credential stuffing attacks cause heartache for the financial sector

Over 30 billion login attempts using this attack technique have been recorded in less than a year.
Written by Charlie Osborne, Contributing Writer

The financial industry has always been a target for cyberattackers. Credit card data, customer information, and the wealth of corporate data available for the taking has ensured that cybercriminals will try, again and again, to compromise companies in the sector.

In August, cyberattackers made off with $13.5 million in a bank heist by compromising India's Cosmos financial systems.

The MoneyTaker hacking group is suspected of stealing millions from banks in the UK, US, and Russia, while IBM is receiving more requests than ever to improve the security of ATMs following a swathe of ATM jackpotting campaigns.

According to cybersecurity firm Akamai's 2018 State of the Internet report, organizations in the financial sector must also be wary of a new trend -- the increasing popularity of credential stuffing attacks.

Often utilized by botnets, credential stuffing describes the use of stolen or leaked credentials in automatic injection attacks. Automated scripts hammer online services with credentials in the hopes of a password and username or email address being accepted as legitimate -- which, in turn, permits account hijacking and takeovers.

One of the core problems in today's consumer and employee security practices is the use of password and email combinations for multiple online services. When a data breach occurs, such as the LinkedIn 2012 security incident in which 112 million credentials were exposed, the story doesn't end there.

These credentials may end up online and public or for sale in the Dark Web. Massive data dumps full of stolen credentials can be found in the Web's underbelly, all of which can be added to batch scripts which will automatically attempt to login to services.

A basic guide to diving in to the dark web

If victims are not aware their information has been leaked in such a way and have not changed their credentials for every service which uses the same combination, this can result in successful credential stuffing attacks.

In July, the leak of thousands of account credentials belonging to file storage service Mega was believed to be due to credential stuffing, rather than a compromise of Mega's systems.

If a financial account is compromised in such a way, this may lead to the theft of funds or stock portfolio tampering. If the account belongs to an employee of the organization, the damage could be deeper, with the compromise of internal banking systems.

Akamai has witnessed a surge in credential stuffing attacks of late. Between November 2017 and June 2018, over 30 billion malicious login attempts were recorded.

CNET: We can't stop botnet attacks alone, says US government report

While the success rate for such attacks is relatively low, the ease in which they can be performed keeps them popular.

In two particular cases recorded by Akamai, the use of botnets in credential stuffing campaigns were alerted due to heavy-handed botnet operation and massive surges in traffic.

The first scenario involved an unnamed Fortune 500 company. Login attempts jumped from an average of 50,000 an hour to over 350,000 in a single afternoon. Examination of the spike in traffic revealed a botnet which had been ordered to send hundreds of malicious login requests per minute.

Over the course of six days, the firm recorded roughly seven million legitimate login attempts -- as well as over 8.5 million malicious attempts that were generated by the botnet. In total, the botnet comprised of over 20,000 endpoints on 4,923 different ASNs.

See also: Mirai, Gafgyt IoT botnets stab systems with Apache Struts, SonicWall exploits

The second case related to a US credit union which became the target of automated credential stuffing. The union would often record a spike in traffic around lunchtime which could sometimes reach 45,000 login attempts every 60 minutes.

However, a rather noisy botnet launched a brute-force attack which ramped up this rate to 4.2 million attempts over the course of seven days.

The sheer force of the attack alerted the union to the suspicious activity, leading to the discovery of another two botnets which were also operating against the organization.

According to the report, the US, Russia, and Vietnam are the primary sources for credential stuffing attacks.

Research conducted by the Ponemon Institute (.PDF) suggests that up to 70 percent of individuals within organizations believe the tools needed to defend against these attacks diminish the web experience of legitimate users, and while the attack costs businesses up to $6 million per year, only 30 percent of companies have introduced tools and solutions to mitigate the threat of compromise.

TechRepublic: The 6 reasons why we've failed to stop botnets

"Every business is impacted by credential stuffing botnets," Akamai says. "Many businesses just see the traffic because of scatter shot scans, but financial services and retail sites are prime targets. Account takeover is profitable for attackers, guaranteeing that it will be a threat for the foreseeable future."

The worst cyberattacks undertaken by nation-state hackers

Previous and related coverage

Editorial standards