Credential stuffing attacks are some of the most common bot-based threats facing applications today. Virtually any site or application with a login page is a potential target for credential stuffing. In this blog, we take a look at what credential stuffing is, how it can impact your apps and users, and how you can use the ThreatX WAAP++ to keep yourself protected.
Credential Stuffing Background
Credential stuffing is a technique used by attackers to break into user accounts on a site or application by reusing credentials that have been compromised in previous breaches. The attacker is relying on the fact that end users often (and inadvisably) use the same username and password on multiple sites. So, if a user’s credentials are compromised in a breach at ACME.com, the attacker can use those same credentials to break into an account on YourCo.com.
Like many attacks against login pages, credential stuffing requires attackers to test large numbers of credentials, and therefore often relies on bots in order to test usernames and passwords. Bots can not only automate the testing of credentials, a distributed botnet can allow the attack to be spread over a large number of IP addresses, making it hard to distinguish attacking nodes from those of valid end users. And unlike a brute force attack, which will attempt a large number of passwords against a single account, a credential stuffing attack will typically only test one or two passwords for each account, meaning the account is unlikely to trigger threshold-based alerts or lockouts. Often the attacker will test WAF solutions to determine the number of failed attempts to trigger a block and then remain under the threshold by returning multiple times to resume the attack.
The Impact of Credential Stuffing
For security teams, credential stuffing can be particularly frustrating since the root cause of the problem stems from a breach on another site. It is truly an example of how the impact of a breach can be felt across the Internet, with have serious consequences for completely unrelated sites and applications. Given the widespread reuse of credentials and the steady pace of breaches, attackers have an ever-growing list of credentials available to them for credential stuffing exploits.
Naturally, credential stuffing can be used to compromise an valid end- user’s account. In some cases the attacker may use this access directly in order to commit fraud by making illegitimate purchases from the account. Alternatively, the attacker may resell the compromised account on the black market or use the account in other ways such as spreading malware, disinformation, or making fake reviews or comments. This can lead to both financial damages as well as impacts to brand reputation.
Credential stuffing can negatively impact applications in less obvious ways as well. By using bots to test credentials, attackers are free to test in large volumes. It is not uncommon for these automated visitors to account for the vast majority of login attempts on popular or high-value applications. This means that the majority of a site’s resources may be serving bot traffic which can have very real impacts on the availability and responsiveness of the site for actual end users. This makes controlling bots at the heart of these attacks an imperative both for end user account security as well as the operational performance of the application.
Stopping Credential Stuffing Attacks With the ThreatX WAAP++
In order to consistently stop credential stuffing attacks, security teams need to be armed with the right tools. Traditional WAF-style signatures are unlikely to be of much help since the attack doesn’t rely on an exploit, but rather abuses the valid, exposed functionality of the application itself. Additionally, attackers are always evolving and employ a variety of techniques to evade detection.
To combat this, ThreatX uses an ensemble approach to the detect and control credential stuffing attacks. This approach brings together multiple complementary techniques to ensure these bot-based threats are reliably detected and corroborated from multiple perspectives. This includes but is not limited to:
- Application Behavioral Analysis - ThreatX learns the normal behaviors and responses of your applications and recognizes changes that are associated with bots—such as visitors responding with non-human speed.
- Attacker Profiling - ThreatX continuously analyzes and learns the unique traits and indicators of automated attack platforms that distinguish them from valid visitors. This can include information such as the entity’s user agent, as well as a wide variety of other more obscure attributes.
- Entity Interrogation - ThreatX also actively challenges suspicious visitors to proactively distinguish bots from humans. These interrogations are transparent to valid users, but can deterministically reveal the presence of a bot. Blocking nodes based on the results of interrogation can help exhaust the attacker’s IP address arsenal, ultimately making the attack too costly and forcing the attacker to move on to a new, less formidable site.
- 90 Day Tracking – ThreatX tracks suspicious IP’s for at least 90 days. Even if an attacker discovers the threshold of failed login attempts that trigger blocking, ThreatX will identify suspicious entities when they return to resume the attack and block based on overall risk.
- Global Threat Intelligence - ThreatX uses threat intelligence both from industry sources as well as findings gleaned from the Global ThreatX SOC. This can include the ability to identify hosts associated with botnets as well as Tor exit nodes and other proxies used for evasion.
These are just some of the ways that ThreatX addresses credential stuffing. It is also important to note that this is just one of the ways that attackers use bots to take advantage of modern applications. If you would like to learn more about how ThreatX protects applications from bots, exploits, DDOS, and API attacks, let's schedule a demo so you can see for yourself.