FedInsights by F5 Networks

Be aware: Your online services may be suffering from credential stuffing attacks

Definition of Credential Stuffing

You can do everything perfectly, but still be targeted with a credential stuffing attack. It leverages what we call inherent vulnerabilities. Inadvertent vulnerabilities is something that can be patched like SQL injection or some misconfigured application. You are susceptible to credential stuffing attacks because you have a log-in form that is public facing.

Targeted Applications

These attacks are now coming from millions of IP addresses. Security operations centers across the globe have become quite comfortable identifying attack traffic based on volume of transactions from IPs. They can typically identify the top 20 or 30 or even top 100 nosiest IPs. But they miss the long tail of millions of IPs that may be have 10 or 20 transactions each because they don’t reach the volume to trigger any thresholds.

There is a new cyber attack term for many agencies: Credential stuffing.

By some estimates there were more than 75 billion of these attacks over the last two years alone. And during the last year, some estimate that U.S. firms lost $5 billion because of these attacks.

Simply put, credential stuffing is a kind of brute-force attack where attackers take stolen log-ins and through automated tools try to force their way into networks. The basic premise behind this attack, according to experts, is employees or customers can use the same username and password on many sites because they have too many of them to manage.

From a federal perspective, credential stuffing has not yet shown up on the radar of agency Federal Information Security Management (FISMA) reports.

Email or phishing remain the biggest threat vectors for agencies, according to the 2018 FISMA report to Congress.

But this doesn’t mean credential stuffing and similar disruptive attacks are here today and increasing in severity.

Additionally, as more and more agency services move toward an online only environment, federal CIOs and chief information security officers have to consider how to protect citizens and other customers who may use similar passwords for multiple sites.

Dan Woods, the vice president of the Shape Intelligence Center with Shape Security, which is now part of F5 Networks, said a credential stuffing attack isn’t about breaking into someone’s account, but rather verifying the credential itself.

“You can do everything perfectly, but still be targeted with a credential stuffing attack. It leverages what we call inherent vulnerabilities. Inadvertent vulnerabilities is something that can be patched like SQL injection or some misconfigured application,” Woods said on the Innovation in Government show. “You are susceptible to credential stuffing attacks because you have a log-in form that is public facing.”

With nearly every agency and private sector organization putting more services online, the threat of credential stuffing is only expected to increase.

Woods said bad actors are trying to break into other accounts, even if there is nothing of value like money or personal identifiable information. Woods said when hackers do find PII, the information can be used for more directed attacks.

“Once case that I worked, an organization used PII just to gain credibility during a phone call,” he said. “They build a whole story around that PII and it facilitates social engineering.”

Woods said too often agencies do not realize the value of their information and the size and scope of the problem.

“These attacks are now coming from millions of IP addresses. Security operations centers across the globe have become quite comfortable identifying attack traffic based on volume of transactions from IPs. They can typically identify the top 20 or 30 or even top 100 nosiest IPs. But they miss the long tail of millions of IPs that may be have 10 or 20 transactions each because they don’t reach the volume to trigger any thresholds,” he said.

In one case, Shape Security found 99.9% of all traffic was automated attacks on their log-in application.

What makes this type of attack even more dangerous is the organization behind them many times are nation states.

Woods said while criminal organizations are largely focused on money, nation states breaking into banking or financial accounts and not taking anything.

“When I was at the FBI, if I had access to bank accounts, it told me a lot about an individual. I knew where they shopped, I knew where they traveled so a lot of this is intelligence gathering,” he said. “We can always tell them because they are highly sophisticated, don’t appear to be motivated by money but instead about gathering of intelligence.”

Most recently, Woods said the bad actors are getting better at their craft. He said they are looking for ways to raise their typical success rate of 0.1% to 3%.

“They are looking for ways to raise their log-in attack success rate. One way they do that is by launching an attack against a different application first, like forgot password,” he said. “If I take all the user names I have and use automation against the forgot-password workflow, if it tells you whether or not the account exists, then you can identify which of the millions of credentials you should even try. We see the same thing with the create account application. And then you launch an attack against the log-in application and you will see a higher success rate.”

Woods said there are steps agencies can take to deal with credential stuffing attacks.

He said one step is the use of conditional two-factor authentication for unusual or atypical transitions. But generally speaking, besides taking down an agency’s log-in application, using advanced analytics on your network traffic is one way to limit these attacks.

 

About F5

F5 (NASDAQ: FFIV) powers applications from development through their entire lifecycle, across any multi-cloud environment, so our government customers can deliver differentiated, high-performing, and secure digital experiences. For more information, go to f5.com/federal. You can also follow @f5networks on Twitter or visit us on LinkedIn and Facebook for more information about F5, its partners, and technologies.

Featured speakers

  • Dan Woods

    Vice President, Shape Intelligence Center, Shape Security, Part of F5 Networks

  • Jason Miller

    Executive Editor, Federal News Network

Sign up for breaking news alerts