What is Credential Stuffing?
In recent years there has been a noticeable spike in the number of breaches and stolen user credential. Incidents have resulted from nation state operations and the U.S. Office of Personnel & Management compromise to data dumps of usernames/passwords by script kiddies. Nonetheless, the impact on the safety of user data and corporate resources has been dramatic. Hackers are consumers of previous data breaches, as they serve as treasure troves for threat actors to use and improve their operations.
Business Email Compromise Attacks are on the Rise
With this spike in credential compromises, the growth of new methods of attacks have risen. The number of business email compromises (BEC) attacks have increased and new attack techniques such as credential stuffing have been developed. Sophisticated BEC attacks have helped fill the pockets of attackers more easily than other attacks due to their highly targeted personal nature. Impersonating the CEO or CFO of a company and directing the Executive Assistant to transfer $150,000 to a given bank account has never been easier.
Credential Stuffing – Using Acquired Login Information
As with any attack, before the operation can be executed, the attacker must gain access. This has led to a need to develop new capabilities – enter credential stuffing.
Much like brute force attacks credential stuffing is the automated web injection of acquired usernames/passwords in order to fraudulently gain access to user accounts. Credential stuffing is a looming threat not only due to the massive volume of data dumps available across the dark web, but also because users oftentimes use the same username/password for personal accounts as they do with business accounts.
In this type of attack, the adversary doesn’t even need to craft an email impersonating the CFO asking to get funds transferred; the attacker simply uses credential stuffing to pivot to the financial system, HR system, etc. and authorizes the transactions themselves.
Credential Stuffing Breaches Impact Large Organization
Examples of credential stuffing are the breaches of Sony in 2011 which lead to the breach of Yahoo! (2012) And eventually Dropbox in 2012. Users across these three different corporations used the same passwords for their accounts. Hackers simply leverage credential stuffing to find what other corporations they can gain access to with the same user credentials.
Separate from the above, yet still using credential stuffing, was the compromise of JP Morgan Chase in 2014. During a forensics investigation of this hack, it was discovered that the previously breached Corporate Challenge website which JPMC sponsors used the same passwords across JPMC accounts providing greater access for attackers.