Unauthorized logins are a constant, significant threat. It is easy to see why.
A majority (51.8%) of breaches in 2019 were caused by access control attacks according to F5 Labs’ 2019 Application Protection. The breaches resulted from stolen login credentials obtained by phishing and brute force. Stolen credentials, obtained from other sources, were also prominently used as part of credential stuffing attacks. Today, the problem is accentuated by a massive proliferation of unwanted bots. Here’s what you need to know and do.
The Preliminary Credential Stuffing Attack: Attackers often employ automation, using bots to launch and orchestrate credential stuffing campaigns.
Tapping the Vast Caches of Stolen Credentials: To perform a credential stuffing attack, the tool needs a stolen credential list to run against the targeted web login. These credential lists are simply a file of usernames and passwords obtained through phishing or on the dark web.
Credential Stuffing Causes Outages: Many sites often only have a basic web application firewall (WAF), or nothing at all. In general, WAFs are designed to block application attacks and web exploits. Credential stuffing is often mistaken for a denial-of-service attack. The login pages then become overwhelmed with failed logins, and either the site crashes or customers can’t get in.
Preliminary Credential Stuffing Mitigation Attempts: Once an attack is identified, it is time to stem the tide. Some basic defensive measures include inspecting and blocking the web session, which some WAFs can do.
Attackers Always Retool
The cybercrime community already knows how to work around these simple defenses. Most of the time, the real work for attackers is configuring and adapting their readily available tools for the specific victim’s website and modifying the scripts.
Bots often run on consumer Internet connections, which use dynamic IP addressing that continually changes addresses. Blocking based on geographic origin is ineffective, as attackers use bots from around the world.
Impersonating a Human
Naturally, attackers have worked out ways around CAPTCHAs. Many attack tools have optional plugins to match and supply answers for thousands of known CAPTCHA puzzles. Some bot scraping tools look for scripted mouse movements or keystrokes. These too can be spoofed with a wide variety of tools.
Look for Smarter Antibot Tools
Ultimately, the best defenses against credential stuffing bot attacks need to be sophisticated. It begins with gathering a combination of factors on the web user. These factors are then scored and weighted using machine learning to weed out bots.
Intelligent antibot systems can also spot the predictability of pseudorandom mouse and keyboard actions. In addition, they can interrogate the user’s browser during the web session to look for the characteristics of a real browser on an actual computer.
Bot-driven credential stuffing attacks – especially against weak defenses – can be relentless and cybercriminals adapt fast. The key is to make it difficult for them, raising the cost and complexity of an onslaught to make attacks as undesirable as possible.