Credential Compromise: What You Need to Know About Theft, Stuffing and Spilling and What You Can Do About it

Credential Compromise: What You Need to Know About Theft, Stuffing and Spilling and What You Can Do About it

As new technologies emerge, ever-vigilant fraudsters remain hard at work searching for and exploiting system weaknesses before they can be patched.

  • By Michael Lynch
  • Sep 29, 2017

As new technologies emerge, ever-vigilant fraudsters remain hard at work searching for and exploiting system weaknesses before they can be patched.

One such form of cybercrime involves credential compromise. Credential compromise encompassing the theft, spilling and stuffing of user account information is not new. The cycle of infiltrating a company’s systems, stealing credentials like email addresses, user IDs and passwords, and then either using them directly for theft or selling them on the dark web to other criminal actors has been around for years. Its longevity can be attributed to ongoing success enabled by a number of systematic failures, including end-users’ propensity to recycle passwords from site to site, companies’ failure to identify and report compromises in a timely manner and weak systems security measures, as well as a hefty return on investment for fraudsters.

For example, according to Shape Security’s 2017 Credential Spill Report (January 2017), the return for cybercriminals on credential stuffing can be as high as 2 percent. So, for every 1 million stolen credentials, criminals could gain access to as many as 10,000 accounts.

Such activity plagues both businesses and end-users who transact across digital channels in increasing numbers and with increasing frequency. Aside from the hard-dollar costs involved in detecting and preventing credential compromise (or to clean up the aftermath of a breach), there are other, less obvious, but equally costly, ramifications.

Fortunately, the risk of credential compromise can be mitigated if you know what to look for and appropriate technology measures are deployed to combat it before it happens.

The Basics of Credential Compromise

Here is some of the latest terminology defining credential compromise:

  • Credential theft: Attackers hack into a system and steal end-users’ account login credentials (user IDs or email addresses and passwords).
  • Credential stuffing: The use of automated means (bots) to test a large set of stolen passwords against websites.
  • Password recycling: The tendency for users to use the same password across multiple online accounts.
  • Credential spilling: The release of mass amounts of user credentials onto the dark web.

The End-to-End Journey of Compromised Credentials

Step 1: Gain access to credentials

Criminal organizations and single actors use various methods to breach typical enterprise security protocols, including, Phishing/Smishing, Malware, Man-in-the-Middle attack, Mass compromise via network breach, and Insider theft.

Step 2: Validate the credentials

After a database has been breached by cybercriminals and access to mass amounts of user credentials has been gained, criminals who wish to either use the credentials themselves to gain access to other accounts to commit theft, or to sell the data to the highest bidder on the dark web, must first test the validity of the data. This is where credential stuffing comes into the mix.

Bots and Credential Stuffing

In order to gain that much-sought-after validation, credential stuffing is employed. As mentioned previously, credential stuffing involves mass testing of stolen login IDs and passwords using bots to automate the process. Bots in this context refer to malware infecting one or more computers or mobile devices that allows a criminal actor to takeover, control and use the infected machines to perform automated tasks, such as attempting account logins over numerous sites using stolen credentials. Bots are essentially the tool cybercriminals use to weaponize stolen credentials.

How to Detect Bots

Fortunately, using a combination of low and high-tech approaches to detection, enterprises can reduce the likelihood and damage inflicted by a bot attack.

  • Monitor for spikes in site traffic
  • Detect velocity of devices attempting multiple login attempts on multiple accounts over a short period of time
  • Leverage next generation of bot-prevention tools such as device intelligence, device fingerprinting, malware detection, machine learning and behavioral analysis.
  • Deploy security solutions that employ multi-factor authentication (MFA)
  • Risk score devices based on malware, location anomalies, operating system configuration anomalies, and fraud tool detection

 

Using a variety of techniques like these to identify and screen-out bots is a crucial factor in slowing and stopping bots before they inflict costly damage both in terms of expense and reputation.

In additional to implementing technology solutions to combat bots directly on your systems, an enterprise may also choose to work with firms that specialize in investigating and exposing cybercrime. Such cybersecurity firms are able to obtain information from the underground criminal forum where the customer information is released and many times will conclude that the breach is greater in scale than originally assumed. Often they can obtain a sample of the data breach and recommend procedures against further exposure. 

Step 3: Use the Validated Credentials

Once cybercriminals have validated the stolen credentials, they are ready to be released on the dark web or sold to the highest bidder. Essentially, stolen and validated credentials are used for the purposes of account takeover – either as means of gaining access to additional valuable information, or to directly commit transaction fraud.

Once a winning combination of credit card details, IDs and passwords has been stitched together, fraudsters can begin with monetization. Bots may either start with a single high-value CNP transaction or attempt to deploy many small transactions that fly under the radar.

Impact to Businesses

While hard-dollar fraud losses resulting from compromised credentials is an overwhelming concern for businesses and consumers, the theft, stuffing and spilling of credentials has far broader implications to reputation and consumer satisfaction.

Financial

Regarding the financial impact of credential compromise, Shape Security has already identified $1 billion in attempted fraud from credential stuffing attacks in 2016 alone. Aside from the money that disappears from accounts and must be reimbursed to consumers, businesses must also face the added expense of extra man-hours and implementing technology solutions to detect, prevent and manage such attacks. The simple impact of the increased site volume generating by credential stuffing has an overwhelming effect on an enterprise’s servers, resulting in outages and slow response times, as well as necessitating ramped up support center staffing to handle queries from concerned or irate customers.

Confident Decisioning

Additionally, credential stuffing has a profound effect on an organization’s ability to accurately track and leverage valuable insights regarding site traffic through reporting. Valuable metrics like site visits, click-through rates and conversions are used by e-commerce sites and others to analyze performance and make strategic decisions. According to the Shape Security report, “90 percent of login requests on many of the world’s largest web and mobile applications is attributable to traffic from credential stuffing attacks.” Such skewed information can have a profound effect on an organization’s ability to confidently use site analytics to make strategic decisions.

Reputation and Consumer Satisfaction

Massive numbers of password lockouts and reset attempts not only generate a high level of frustration among end-users, but also creates staffing challenges, encourages password recycling among users and inflicts damage to your business’s reputation.

An unexpected influx of authentication calls into a large organization’s call center can cost several dollars per call; however, customer frustration and lack of trust in an organization’s ability to protect sensitive account and personal information can be far costlier.

Stay Ahead of Cybercriminals

Credential compromise isn’t going away any time soon. Nor are bot attacks that enable cybercriminals to validate sensitive information that provides a hefty ROI for them and facilitates financial theft with increasing sophistication.

It’s essential that security professionals employ every weapon in their arsenal – from monitoring, to bot detection, device authentication, identity verification and malware prevention solutions.

The stakes of a credential breach are high, presenting an alarming risk your organization’s bottom line, reputation and customer trust and loyalty. No matter the type of information your business collects in its systems, it should be protected as if it were virtual gold, because to cybercriminals, it might just be.

Featured

  • 91 Percent of Security Leaders Believe AI Set to Outpace Security Teams

    Bugcrowd recently released its “Inside the Mind of a CISO” report, which surveyed hundreds of security leaders around the globe to uncover their perception on AI threats, their top priorities and evolving roles, and common myths directed towards the CISO. Among the findings, 1 in 3 respondents (33%) believed that at least half of companies are willing to sacrifice their customers’ long-term privacy or security to save money. Read Now

  • Milestone Announces Merger With Arcules

    Global video technology company Milestone Systems is pleased to announce that effective July 1, 2024, it will merge with the cloud-based video surveillance solutions provider, Arcules. Read Now

  • Organizations Struggle with Outdated Security Approaches, While Online Threats Increase

    Cloudflare Inc, recently published its State of Application Security 2024 Report. Findings from this year's report reveal that security teams are struggling to keep pace with the risks posed by organizations’ dependency on modern applications—the technology that underpins all of today’s most used sites. The report underscores that the volume of threats stemming from issues in the software supply chain, increasing number of distributed denial of service (DDoS) attacks and malicious bots, often exceed the resources of dedicated application security teams. Read Now

  • Cloud Resources Have Become Biggest Targets for Cyberattacks According to New Research

    Thales recently announced the release of the 2024 Thales Cloud Security Study, its annual assessment on the latest cloud security threats, trends and emerging risks based on a survey of nearly 3000 IT and security professionals across 18 countries in 37 industries. As the use of the cloud continues to be strategically vital to many organizations, cloud resources have become the biggest targets for cyber-attacks, with SaaS applications (31%), Cloud Storage (30%) and Cloud Management Infrastructure (26%) cited as the leading categories of attack. As a result, protecting cloud environments has risen as the top security priority ahead of all other security disciplines. Read Now

Most   Popular

Featured Cybersecurity

Webinars

Whitepapers

New Products

  • Camden CV-7600 High Security Card Readers

    Camden CV-7600 High Security Card Readers

    Camden Door Controls has relaunched its CV-7600 card readers in response to growing market demand for a more secure alternative to standard proximity credentials that can be easily cloned. CV-7600 readers support MIFARE DESFire EV1 & EV2 encryption technology credentials, making them virtually clone-proof and highly secure. 3

  • ResponderLink

    ResponderLink

    Shooter Detection Systems (SDS), an Alarm.com company and a global leader in gunshot detection solutions, has introduced ResponderLink, a groundbreaking new 911 notification service for gunshot events. ResponderLink completes the circle from detection to 911 notification to first responder awareness, giving law enforcement enhanced situational intelligence they urgently need to save lives. Integrating SDS’s proven gunshot detection system with Noonlight’s SendPolice platform, ResponderLink is the first solution to automatically deliver real-time gunshot detection data to 911 call centers and first responders. When shots are detected, the 911 dispatching center, also known as the Public Safety Answering Point or PSAP, is contacted based on the gunfire location, enabling faster initiation of life-saving emergency protocols. 3

  • Luma x20

    Luma x20

    Snap One has announced its popular Luma x20 family of surveillance products now offers even greater security and privacy for home and business owners across the globe by giving them full control over integrators’ system access to view live and recorded video. According to Snap One Product Manager Derek Webb, the new “customer handoff” feature provides enhanced user control after initial installation, allowing the owners to have total privacy while also making it easy to reinstate integrator access when maintenance or assistance is required. This new feature is now available to all Luma x20 users globally. “The Luma x20 family of surveillance solutions provides excellent image and audio capture, and with the new customer handoff feature, it now offers absolute privacy for camera feeds and recordings,” Webb said. “With notifications and integrator access controlled through the powerful OvrC remote system management platform, it’s easy for integrators to give their clients full control of their footage and then to get temporary access from the client for any troubleshooting needs.” 3