Intuit recently notified users of its TurboTax software that their accounts might have been compromised using username/password combinations obtained from another source — what’s known as a credential-stuffing attack. The company said the hackers might have obtained the names, Social Security numbers, dates of birth, driver’s license numbers, and financial information of those affected.
In credential stuffing, hackers use botnets to systematically attempt to break into targets using login information that has been stolen from across the web. The attackers operate on the premise that many people use the same credentials for multiple services and accounts.
Credential stuffing costs organizations millions to tens of millions of dollars in fraud losses annually, according to the Ponemon Institute. Financial institutions and retailers are favorite targets for this technique. In fact, Shape Security has estimated that 232 million credential stuffing attacks are launched against financial institutions each day. Only about .05 percent are successful, but that still means thousands of organizations suffer breaches.
According to the Akamai 2018 State of the Internet/Security Credential Stuffing Attacks report, malicious login attempts are on the rise worldwide. Akamai detected approximately 3.2 billion malicious logins per month from January through April 2018, and over 8.3 billion malicious login attempts from bots in May and June 2018 – a monthly average increase of 30 percent. From the beginning of November 2017 through the end of June 2018, Akamai researcher analysis shows a total of more than 30 billion malicious login attempts.
In some instances, credential stuffing can mimic a distributed denial of service (DDoS) attack. The Akamai report recounts the case of a Fortune 500 financial services institution that was assaulted with 8.5 million malicious login attempts within 48 hours. Typically, the company’s website only sees 7 million login attempts in a week. The attack was carried out using a botnet comprising more than 20,000 devices and was capable of sending hundreds of requests a minute.
Another real-world example from the Akamai report illustrates a “low and slow” type of attack identified at a credit union in 2018. This financial institution saw a spike in malicious login attempts, which ultimately revealed a trio of botnets targeting its site. While a particularly noisy botnet caught their attention, the discovery of another botnet that had been very slowly and methodically trying to break in created a much greater concern.
While these cases involved attacks on consumer financial accounts, hackers also target privileged account credentials. Hackers who successfully crack a corporate user’s account are able to use credential escalation to move through the IT environment in search of higher-value credentials.
That’s why it’s critically important to establish privileged account management policies and best practices. Default passwords on systems should be changed, and unique credentials assigned to each administrator if possible. Administrators should be required to use a different strong password for each privileged account. Ideally, privileged credentials should be stored in a secure vault, rotated regularly, and “checked out” when needed.
Credential stuffing attacks have reached epidemic proportions, and users are partly to blame. Hackers recognize that many people reuse their credentials, and they’re harnessing botnets to launch these low-cost, low-risk attacks. Contact Clango to discuss the tools and processes you can implement to prevent your organization from becoming a victim.
For more information about credential stuffing, please send us an email at (firstname.lastname@example.org).