Online retailers, banks, hotels, and airlines have been struggling with a tidal wave of credential stuffing, with this form of cyberattack accounting for over 90% of traffic to ecommerce sites. Credential stuffing is fast becoming a significant problem for the gaming industry as well. A recent report by Akamai Technologies found that gaming sites accounted for 12 billion of the 55 billion credential stuffing attacks Akamai recorded over a 17-month period.
Hackers like credential abuse, Akamai points out in their report, because it's a low-risk, high-profit-potential venture. Months, even years may pass from the time a set of credentials are stolen to the time the victim finds out they've been used in a breach. Thirty-two percent of organizations admit to lacking visibility into credential stuffing, and an additional 30% say they're unable to detect or mitigate it.
What is credential stuffing?
Credential stuffing is sometimes confused with password spraying. Both attacks involve credential abuse, but they play out quite differently.
In a password spraying attack, hackers compile a list of user names for their target system, then test each one against a separate, relatively short list of common passwords, such as "qwerty" and "trustno1." Odds are, at least one user is using one of those passwords. It's a slow process, and because the system doesn't detect a large number of attempts to log into any one user account at a time, password spraying attacks are difficult to detect.
In contrast to password spraying's surgical precision, credential stuffing takes an automated, scorched-Earth approach. Hackers combine login software with proxies -- usually IoT botnets -- to bombard target systems with possible username/password combos harvested during one of myriad enormous data breaches that have occurred in the past few years. The attack takes advantage of the fact that despite repeatedly being told not to, many people still reuse the same login credentials on multiple sites -- including mixing home and work logins. To get around safeguards that block very large numbers of login attempts from one IP address, hackers use tools to make it appear as if the logins are coming from different IPs, and even different browsers.
Once hackers come across a login that works, what happens next depends on the type of account they just took over. If it's an ecommerce site, the hackers may steal discount codes, rewards points, or other special promos saved to the account or make purchases using saved payment methods and have them shipped to their own address for resale. Loyalty rewards program points are highly prized because they can be converted into cash, airline miles, or merchandise; Dunkin' Donuts was victimized by two attacks on its DD Perks program in less than three months.
In the gaming industry, hackers are after accounts that contain virtual merchandise, such as additional weapons, skins, or character upgrades that must be purchased or earned through game play. The account can be sold as-is on the Dark Net or, if it's connected to an automated payment method, the hacker might first purchase additional upgrades to make the account more valuable.
What can be done to prevent credential stuffing?
The best defense is for individuals to not reuse passwords. Yes, remembering all of those passwords is impossible absent an eidetic memory, but you can use a password manager, like LastPass or Dashlane, to keep track. These solutions also include a feature to auto-generate secure passwords and warn you if you're reusing passwords across sites.
Prevention for enterprises is more tricky. While companies can automatically generate secure passwords for their employees, they can't prevent them from using the same password for their personal accounts, and companies have nearly no control over what their customers do. Implementing multi-factor authentication is a good safeguard. Even requiring users to solve CAPTCHAs can throw a monkey wrench into credential stuffing attacks, as Basecamp discovered.