Credential stuffing

What is credential stuffing?

Credential stuffing is a cyberattack where attackers illicitly acquire login credentials—which include both usernames and passwords—to gain unauthorised access to an account or system. These credentials may be a product of previous data breaches or sourced from the dark web. Subsequently, attackers use these stolen credentials to attempt to access various systems or accounts. Attackers assume that many individuals reuse the same password or login credentials across multiple accounts, online services, and platforms. This practice is known as credential overlap.

About the attack:

Historical context

Credential stuffing attacks gained prominence in the early 2010s as cybercriminals recognized the value of stolen login credentials. Several high-profile data breaches, such as the LinkedIn breach in 2012 and the Yahoo breach in 2013, exposed vast databases of user credentials. As attackers honed their techniques, they developed sophisticated automated tools and scripts to streamline the process of testing stolen credentials on various online platforms. These tools enabled attackers to conduct large-scale attacks with minimal effort.

Attack flow

Credential stuffing attacks usually follow a distinct attack flow:

Acquiring stolen credentials

Attackers either purchase or obtain lists of usernames and passwords from illegal sources on the dark web. These datasets are often the result of data breaches.

Automated login attempts

Attackers deploy automated bots or scripts designed to attempt logins across multiple user accounts systematically. These bots are programmed to replicate legitimate login attempts while concealing their true IP addresses, making it harder to detect suspicious activity.

Account access

Attackers gain unauthorized access when bots successfully match stolen credentials with an account. Once inside, they can potentially access sensitive information.

Continuous monitoring

Attackers closely monitor the bots as they continue to test the same username and password combinations across other accounts. Once attackers gain access to an account, they adopt a strategy on what information to extract and how to proceed.

Credential stuffing V/S brute-force attack

Credential stuffing

Method

Credential stuffing involves attackers using previously stolen username and password combinations to gain access to user accounts on multiple online services.

Attack Strategy

Attackers rely on the fact that many individuals reuse the same login credentials across multiple online accounts. Cybercriminals systematically test these stolen credentials on various platforms.

Attack characteristics

Attackers often use automated tools and bots to speed up the process of testing stolen credentials on multiple platforms.

Brute-force attack

Method

In a brute-force attack, attackers systematically guess all possible combinations of usernames and passwords until the correct one is found.

Attack Strategy

Brute-force attacks do not rely on stolen credentials. Instead, they start with the simplest or most common passwords and systematically iterate through all possible combinations.

Attack characteristics

This method involves systematically guessing password combinations, which can be time-consuming, especially against strong passwords.

Detection mechanism

Detecting credential stuffing attacks requires a combination of technological solutions, monitoring, and user education.

• Utilize anomaly detection algorithms to identify unusual login patterns, such as multiple failed login attempts from different geographic locations in a short period. Anomalies can trigger alerts for further investigation.
• Monitor the geographic locations of login attempts. If login attempts are occurring from different locations in a short time, it may indicate an attack. Geolocation data can be obtained from IP addresses.
• Implement behavioural analysis systems that examine user behaviour during logins. These systems can detect unusual patterns, such as login attempts during non-standard hours or from unfamiliar devices.
• Subscribe to threat intelligence feeds that provide information on known malicious IP addresses or patterns associated with credential stuffing attacks. Block or monitor traffic from these sources.
• Employ SIEM systems to aggregate and analyse log data from various sources. A SIEM can help identify patterns and anomalies that indicate credential stuffing attempts.

ManageEngine Log360 is a unified SIEM solution with integrated DLP and CASB capabilities that uses a combination of predefined and custom correlation rules, real-time alerting, and automated workflows to detect and mitigate credential stuffing attacks.

Here is a simulated video of how a brute force or credential stuffing attack can be detected by implementing Log360.