Credential Compromise: What You Need to Know About Theft, Stuffing and Spilling and What You Can Do About it

As new technologies emerge, ever-vigilant fraudsters remain hard at work searching for and exploiting system weaknesses before they can be patched.

• By Michael Lynch
• Sep 29, 2017

As new technologies emerge, ever-vigilant fraudsters remain hard at work searching for and exploiting system weaknesses before they can be patched.

One such form of cybercrime involves credential compromise. Credential compromise encompassing the theft, spilling and stuffing of user account information is not new. The cycle of infiltrating a company’s systems, stealing credentials like email addresses, user IDs and passwords, and then either using them directly for theft or selling them on the dark web to other criminal actors has been around for years. Its longevity can be attributed to ongoing success enabled by a number of systematic failures, including end-users’ propensity to recycle passwords from site to site, companies’ failure to identify and report compromises in a timely manner and weak systems security measures, as well as a hefty return on investment for fraudsters.

For example, according to Shape Security’s 2017 Credential Spill Report (January 2017), the return for cybercriminals on credential stuffing can be as high as 2 percent. So, for every 1 million stolen credentials, criminals could gain access to as many as 10,000 accounts.

Such activity plagues both businesses and end-users who transact across digital channels in increasing numbers and with increasing frequency. Aside from the hard-dollar costs involved in detecting and preventing credential compromise (or to clean up the aftermath of a breach), there are other, less obvious, but equally costly, ramifications.

Fortunately, the risk of credential compromise can be mitigated if you know what to look for and appropriate technology measures are deployed to combat it before it happens.

The Basics of Credential Compromise

Here is some of the latest terminology defining credential compromise:

• Credential theft: Attackers hack into a system and steal end-users’ account login credentials (user IDs or email addresses and passwords).
• Credential stuffing: The use of automated means (bots) to test a large set of stolen passwords against websites.
• Password recycling: The tendency for users to use the same password across multiple online accounts.
• Credential spilling: The release of mass amounts of user credentials onto the dark web.

The End-to-End Journey of Compromised Credentials

Step 1: Gain access to credentials

Criminal organizations and single actors use various methods to breach typical enterprise security protocols, including, Phishing/Smishing, Malware, Man-in-the-Middle attack, Mass compromise via network breach, and Insider theft.

Step 2: Validate the credentials

After a database has been breached by cybercriminals and access to mass amounts of user credentials has been gained, criminals who wish to either use the credentials themselves to gain access to other accounts to commit theft, or to sell the data to the highest bidder on the dark web, must first test the validity of the data. This is where credential stuffing comes into the mix.

Bots and Credential Stuffing

In order to gain that much-sought-after validation, credential stuffing is employed. As mentioned previously, credential stuffing involves mass testing of stolen login IDs and passwords using bots to automate the process. Bots in this context refer to malware infecting one or more computers or mobile devices that allows a criminal actor to takeover, control and use the infected machines to perform automated tasks, such as attempting account logins over numerous sites using stolen credentials. Bots are essentially the tool cybercriminals use to weaponize stolen credentials.

How to Detect Bots

Fortunately, using a combination of low and high-tech approaches to detection, enterprises can reduce the likelihood and damage inflicted by a bot attack.

• Monitor for spikes in site traffic
• Detect velocity of devices attempting multiple login attempts on multiple accounts over a short period of time
• Leverage next generation of bot-prevention tools such as device intelligence, device fingerprinting, malware detection, machine learning and behavioral analysis.
• Deploy security solutions that employ multi-factor authentication (MFA)
• Risk score devices based on malware, location anomalies, operating system configuration anomalies, and fraud tool detection

Using a variety of techniques like these to identify and screen-out bots is a crucial factor in slowing and stopping bots before they inflict costly damage both in terms of expense and reputation.

In additional to implementing technology solutions to combat bots directly on your systems, an enterprise may also choose to work with firms that specialize in investigating and exposing cybercrime. Such cybersecurity firms are able to obtain information from the underground criminal forum where the customer information is released and many times will conclude that the breach is greater in scale than originally assumed. Often they can obtain a sample of the data breach and recommend procedures against further exposure. 

Step 3: Use the Validated Credentials

Once cybercriminals have validated the stolen credentials, they are ready to be released on the dark web or sold to the highest bidder. Essentially, stolen and validated credentials are used for the purposes of account takeover – either as means of gaining access to additional valuable information, or to directly commit transaction fraud.

Once a winning combination of credit card details, IDs and passwords has been stitched together, fraudsters can begin with monetization. Bots may either start with a single high-value CNP transaction or attempt to deploy many small transactions that fly under the radar.

Impact to Businesses

While hard-dollar fraud losses resulting from compromised credentials is an overwhelming concern for businesses and consumers, the theft, stuffing and spilling of credentials has far broader implications to reputation and consumer satisfaction.

Financial

Regarding the financial impact of credential compromise, Shape Security has already identified $1 billion in attempted fraud from credential stuffing attacks in 2016 alone. Aside from the money that disappears from accounts and must be reimbursed to consumers, businesses must also face the added expense of extra man-hours and implementing technology solutions to detect, prevent and manage such attacks. The simple impact of the increased site volume generating by credential stuffing has an overwhelming effect on an enterprise’s servers, resulting in outages and slow response times, as well as necessitating ramped up support center staffing to handle queries from concerned or irate customers.

Confident Decisioning

Additionally, credential stuffing has a profound effect on an organization’s ability to accurately track and leverage valuable insights regarding site traffic through reporting. Valuable metrics like site visits, click-through rates and conversions are used by e-commerce sites and others to analyze performance and make strategic decisions. According to the Shape Security report, “90 percent of login requests on many of the world’s largest web and mobile applications is attributable to traffic from credential stuffing attacks.” Such skewed information can have a profound effect on an organization’s ability to confidently use site analytics to make strategic decisions.

Reputation and Consumer Satisfaction

Massive numbers of password lockouts and reset attempts not only generate a high level of frustration among end-users, but also creates staffing challenges, encourages password recycling among users and inflicts damage to your business’s reputation.

An unexpected influx of authentication calls into a large organization’s call center can cost several dollars per call; however, customer frustration and lack of trust in an organization’s ability to protect sensitive account and personal information can be far costlier.

Stay Ahead of Cybercriminals

Credential compromise isn’t going away any time soon. Nor are bot attacks that enable cybercriminals to validate sensitive information that provides a hefty ROI for them and facilitates financial theft with increasing sophistication.

It’s essential that security professionals employ every weapon in their arsenal – from monitoring, to bot detection, device authentication, identity verification and malware prevention solutions.

The stakes of a credential breach are high, presenting an alarming risk your organization’s bottom line, reputation and customer trust and loyalty. No matter the type of information your business collects in its systems, it should be protected as if it were virtual gold, because to cybercriminals, it might just be.