Lock icon on virtual screen showing credential stuffing attacks

It’s All About the Credentials

Credential stuffing continues to be a serious problem for online businesses and consumers, and as individuals continue to use the same password across their online accounts, it’s only going to increase. In order to protect themselves and their customers, online businesses must prioritize credential stuffing mitigations by detecting and preventing automation in credential stuffing, but also by using preventative solutions identifying compromised credentials of legitimate users and forcing them to change password to disincentivize the attackers and break the attack lifecycle.

Credential stuffing attacks on wedding planning startup Zola, as well as more established companies like General Motors, continue to fuel the web attack lifecycle, potentially using stolen user credentials on other sites. Because most users reuse their credentials across the web, we know that attackers will use these credentials to try to take over accounts on other sites and applications to increase the circle of breach.

The most recent Verizon Data Breach Investigations Report (DBIR) identified ransomware as the top threat to organizations, along with phishing, web application attacks and attacks on the supply chain. The one common thread tying these attacks together? Stolen credentials. In fact, 42% of all investigated breaches involved the use of stolen credentials.

The DBIR team analyzed 23,896 security incidents, of which 5,212 were confirmed data breaches, concluding that “There are four key paths leading to your estate: Credentials, Phishing, Exploiting vulnerabilities and Botnets. These four pervade all areas of the DBIR, and no organization is safe without a plan to handle them all.”

What the Verizon DBIR calls a “circle of breach” follows the same logic as what we at PerimeterX have identified as the web attack lifecycle. According to the report, “Traditionally, defenders are largely focused on the events that occur within their boundaries, which makes sense since those are the things they control. However, an attacker ecosystem exists both before and after the breach, and it plays into and feeds off of the incident.”

The Verizon report found that 63% of the compromised data were credentials. Answering the single question, “Are you who you say you are?” is a critical approach to protect online services from the consequences of these attacks, allowing online brands to protect their customers, reputation and finances. Taking this approach addresses the post-login wasteland and helps brands establish continuous attribution and verification of identity and legitimacy across all user behaviors.

In Social Engineering attacks, “The human element continues to be a key driver of 82% of breaches,” and “malware and stolen credentials provide a great second step after a social attack gets the actor in the door.”

In Web Application Attacks, the Verizon report notes that the “pattern continues to largely be dominated by the use of stolen credentials to access an organization’s internet-facing infrastructure and over 80% of the breaches in this pattern can be attributed to stolen credentials. There’s been an almost 30% increase in stolen credentials since 2017, cementing it as one of the most tried-and-true methods to gain access to an organization for the past four years.”

In the Financial and Insurance vertical, attacks on web applications have increased from 12% in 2016 to 51%. According to the Verizon report, “A key component of these attacks is that they usually involve the use of stolen credentials, which is the number one action variety in this vertical.”

A similar trend is reported in the Retail vertical. The report notes “as one might expect, credentials are the top data type compromised in this vertical,” accounting for 45% of the compromised data in attacks.

These two data points are great examples for the circle of breach and the criticality of credentials in the attack life cycle of account takeover and other account breaches.

The takeaway

The responsibility lies on app providers and website owners to make it difficult and expensive for cybercriminals to use the information in order to disrupt the cycle of attacks. This means stopping the theft, validation and fraudulent use of account and identity information everywhere along a consumer’s digital journey.

Once cyber criminals have access to accounts, they can commit fraud, perform financial transactions, purchase goods, cash in loyalty points, sell the credentials on the dark web, or even take out lines of credit. Our own Automated Fraud Benchmark Report showed that malicious login attempts out of total logins trended upwards during 2021, reaching a staggering 93.8% of all login attempts in August, which was an 8% increase on the 2020 peak.

The human element is the new frontier of information security: attackers have gained access to users’ accounts not through any failure on the part of the website owner, but rather due to the natural human tendency to reuse username/passwords across multiple sites.

Organizations have a legal and ethical obligation to safeguard the personal and financial information of their users, not just to protect their sites from standard cyberattacks, but to also safeguard the information they hold on behalf of users. Analyzing user sessions and behaviors and building more accurate profiles of whether users are who they say they are – both before and after login – enables a strong defense to better detect and prevent fraud throughout the user account lifecycle.