×
credential-stuffing.png
Credential stuffing attacks are one of today’s most prevalent threats to online businesses everywhere.
But despite this threat rising on everyone’s radar in the infosec community, very little is known about how criminal groups are performing these attacks.
What is credential stuffing
Credential stuffing is a term used by the cybersecurity industry to describe a particular type of automated attack against a website or application’s login system.
It relies on a hacker taking username-password combos that have been leaked via data breaches at other companies, and attempting to use these leaked credentials in the hope of gaining access to accounts on other sites — exploiting users’ habit of reusing usernames and passwords across multiple online services.
Also: This hacker has stolen over 932 million user records from 44 companies
Credential stuffing is a relatively new attack vector and has been fueled by the huge leaks of user credentials that have taken place since 2016, after hacks at LinkedIn, VK.com, Tumblr, Twitter, and many other major platforms.
Hundreds of millions of username and password credentials were dumped online in 2016, and other leaks have continued to pop up regularly since then, supplying fresh cannon fodder for criminal gangs to use for their attacks.
The hackers and the tools
To carry out a credential stuffing attack, hacker groups only need three things: leaked credentials, a software app, and proxies.
Leaked credentials are not a problem. Most of this data is either already available in the public domain, or available for sale on hacking forums and dark web marketplaces.
A software app that parses lists of old credentials and automates login operations on remote websites is also not a problem. In fact, there are at least six such tools that hacker groups can buy online, according to a Recorded Future report, which include the likes of STORM, Black Bullet, Private Keeper, SNIPR, Sentry MBA, and WOXY.
Image: Recorded Future
×
storm.png
Image: Recorded Future
×
black-bullet.png
Image: Recorded Future
×
private-keeper.png
Image: Recorded Future
×
snipr.png
Image: Recorded Future
×
sentrymba.png
Image: Recorded Future
×
woxy.png
These tools are all dirt cheap, and they’re rarely sold for anything more than $50. Some were designed for checking one account at a time (but have been modified for credentials mass-checks), while others have been built or rebuilt from the ground up with credential stuffing in mind — such as SNIPR and Sentry MBA.
The proxy botnets
Related Topics:
Security TV
Data Management
CXO
Data Centers