How does credential stuffing enable account takeover attacks?

While cybersecurity vendors continue to see increased growth in all types of cyberattacks, one type stands out: account takeover attacks, which are increasingly being made possible by attackers who have automated the testing of user credentials against account login systems.

Distributed denial-of-service and web application attacks are still on the rise, according to Patrick Sullivan, director of security technology and strategy at Akamai Technologies Inc., but account takeover attacks, and the credential stuffing activity that goes with them, are growing much faster.

Account takeover attacks can target any website that uses a login to guard valuable information, and Sullivan said that the growth in these attacks has been fueled by the growing ranks of companies whose breached websites have already yielded access to user credentials. The attacks can succeed because many users reuse their credentials -- user ID and password pairs -- across multiple websites.

SearchSecurity asked Sullivan about the threat of credential stuffing, why it's on the rise, and what it means for enterprises and users.

Sullivan: The types of attacks that Akamai observes targeting top websites [distributed denial-of-service (DDoS) attacks, web application attacks, bot scraping of websites and attacks on domain name systems] are all climbing in frequency.

In a relative sense, we see the increase in credential stuffing activity growing much faster than the others. We assume that attackers currently find it more lucrative to run ATO [account takeover] attacks. The scale of these credential stuffing attacks is incredible. Akamai has observed that 66% of all login attempts seen by our customers are bots launching credential stuffing attacks.

Credential stuffing attacks are the step in account takeover fraud. Once attackers have confirmed that credentials are valid on a given site, they use that information for fraud.

Credential stuffing is the mass-scale automated testing of username/password combinations across multiple websites. When successful matches are discovered, attackers use these logins to take over the account for fraud or resell the confirmed credentials to others in the criminal ecosystem to commit fraud. Credential stuffing attacks are the step in account takeover fraud. Once attackers have confirmed that credentials are valid on a given site, they use that information for fraud.

ATO attacks monetize valuable resources for an individual's account at a commerce site, steal rewards points from travel/electronics loyalty programs, commit fraud on a banking site, steal [personally identifiable information] from healthcare sites and other activities. The same apparatus that conducts ATO attacks can be used to defraud online gift card activations by brute force attacks. The common element is that automation is required by the attacker to achieve what appears to be a significant return on their investment of focusing on these types of attacks.

Detections for other forms of automated attacks, like credential stuffing or price aggregation bots, tend to only be in place at the top finance and commerce organizations. I've seen organizations asking for help for what they believe to be a DDoS attack, but when you dissect the attack, it turns out to be a highly aggressive credential stuffing attack.

The profit motive behind ATO attacks must be quite high because the attackers are very evasive. They deploy AI to bypass CAPTCHA. They evade web application firewall controls by routing their requests through massive proxy networks that allow them to keep their request rates below that of typical human users.

The proxy networks also allow the attackers to choose source geographies for requests that are on a white list. The proxy networks are made up of [internet of things] devices in residential networks, and are more than an order of magnitude larger than the largest DDoS botnets, like Mirai. The size of the networks allows attackers to continually change the IP addresses they use.

Bot management and anti-automation is a space. Technology vendors are able to detect if a request is being made by a human on a browser or a bot performing credential stuffing or price aggregation. The techniques being used include biometrics -- an analysis of the interactions with keyboard, mouse movements, mobile device gyroscope and accelerometer to determine if a human is driving the session or if it is a bot. Many people still think of CAPTCHA as a defense for bots, but with advances in AI, bots are now more effective in solving CAPTCHA than humans.