Credential Compromise: What You Need to Know About Theft, Stuffing and Spilling and What You Can Do About it

Credential Compromise: What You Need to Know About Theft, Stuffing and Spilling and What You Can Do About it

As new technologies emerge, ever-vigilant fraudsters remain hard at work searching for and exploiting system weaknesses before they can be patched.

  • By Michael Lynch
  • Sep 29, 2017

As new technologies emerge, ever-vigilant fraudsters remain hard at work searching for and exploiting system weaknesses before they can be patched.

One such form of cybercrime involves credential compromise. Credential compromise encompassing the theft, spilling and stuffing of user account information is not new. The cycle of infiltrating a company’s systems, stealing credentials like email addresses, user IDs and passwords, and then either using them directly for theft or selling them on the dark web to other criminal actors has been around for years. Its longevity can be attributed to ongoing success enabled by a number of systematic failures, including end-users’ propensity to recycle passwords from site to site, companies’ failure to identify and report compromises in a timely manner and weak systems security measures, as well as a hefty return on investment for fraudsters.

For example, according to Shape Security’s 2017 Credential Spill Report (January 2017), the return for cybercriminals on credential stuffing can be as high as 2 percent. So, for every 1 million stolen credentials, criminals could gain access to as many as 10,000 accounts.

Such activity plagues both businesses and end-users who transact across digital channels in increasing numbers and with increasing frequency. Aside from the hard-dollar costs involved in detecting and preventing credential compromise (or to clean up the aftermath of a breach), there are other, less obvious, but equally costly, ramifications.

Fortunately, the risk of credential compromise can be mitigated if you know what to look for and appropriate technology measures are deployed to combat it before it happens.

The Basics of Credential Compromise

Here is some of the latest terminology defining credential compromise:

  • Credential theft: Attackers hack into a system and steal end-users’ account login credentials (user IDs or email addresses and passwords).
  • Credential stuffing: The use of automated means (bots) to test a large set of stolen passwords against websites.
  • Password recycling: The tendency for users to use the same password across multiple online accounts.
  • Credential spilling: The release of mass amounts of user credentials onto the dark web.

The End-to-End Journey of Compromised Credentials

Step 1: Gain access to credentials

Criminal organizations and single actors use various methods to breach typical enterprise security protocols, including, Phishing/Smishing, Malware, Man-in-the-Middle attack, Mass compromise via network breach, and Insider theft.

Step 2: Validate the credentials

After a database has been breached by cybercriminals and access to mass amounts of user credentials has been gained, criminals who wish to either use the credentials themselves to gain access to other accounts to commit theft, or to sell the data to the highest bidder on the dark web, must first test the validity of the data. This is where credential stuffing comes into the mix.

Bots and Credential Stuffing

In order to gain that much-sought-after validation, credential stuffing is employed. As mentioned previously, credential stuffing involves mass testing of stolen login IDs and passwords using bots to automate the process. Bots in this context refer to malware infecting one or more computers or mobile devices that allows a criminal actor to takeover, control and use the infected machines to perform automated tasks, such as attempting account logins over numerous sites using stolen credentials. Bots are essentially the tool cybercriminals use to weaponize stolen credentials.

How to Detect Bots

Fortunately, using a combination of low and high-tech approaches to detection, enterprises can reduce the likelihood and damage inflicted by a bot attack.

  • Monitor for spikes in site traffic
  • Detect velocity of devices attempting multiple login attempts on multiple accounts over a short period of time
  • Leverage next generation of bot-prevention tools such as device intelligence, device fingerprinting, malware detection, machine learning and behavioral analysis.
  • Deploy security solutions that employ multi-factor authentication (MFA)
  • Risk score devices based on malware, location anomalies, operating system configuration anomalies, and fraud tool detection

 

Using a variety of techniques like these to identify and screen-out bots is a crucial factor in slowing and stopping bots before they inflict costly damage both in terms of expense and reputation.

In additional to implementing technology solutions to combat bots directly on your systems, an enterprise may also choose to work with firms that specialize in investigating and exposing cybercrime. Such cybersecurity firms are able to obtain information from the underground criminal forum where the customer information is released and many times will conclude that the breach is greater in scale than originally assumed. Often they can obtain a sample of the data breach and recommend procedures against further exposure. 

Step 3: Use the Validated Credentials

Once cybercriminals have validated the stolen credentials, they are ready to be released on the dark web or sold to the highest bidder. Essentially, stolen and validated credentials are used for the purposes of account takeover – either as means of gaining access to additional valuable information, or to directly commit transaction fraud.

Once a winning combination of credit card details, IDs and passwords has been stitched together, fraudsters can begin with monetization. Bots may either start with a single high-value CNP transaction or attempt to deploy many small transactions that fly under the radar.

Impact to Businesses

While hard-dollar fraud losses resulting from compromised credentials is an overwhelming concern for businesses and consumers, the theft, stuffing and spilling of credentials has far broader implications to reputation and consumer satisfaction.

Financial

Regarding the financial impact of credential compromise, Shape Security has already identified $1 billion in attempted fraud from credential stuffing attacks in 2016 alone. Aside from the money that disappears from accounts and must be reimbursed to consumers, businesses must also face the added expense of extra man-hours and implementing technology solutions to detect, prevent and manage such attacks. The simple impact of the increased site volume generating by credential stuffing has an overwhelming effect on an enterprise’s servers, resulting in outages and slow response times, as well as necessitating ramped up support center staffing to handle queries from concerned or irate customers.

Confident Decisioning

Additionally, credential stuffing has a profound effect on an organization’s ability to accurately track and leverage valuable insights regarding site traffic through reporting. Valuable metrics like site visits, click-through rates and conversions are used by e-commerce sites and others to analyze performance and make strategic decisions. According to the Shape Security report, “90 percent of login requests on many of the world’s largest web and mobile applications is attributable to traffic from credential stuffing attacks.” Such skewed information can have a profound effect on an organization’s ability to confidently use site analytics to make strategic decisions.

Reputation and Consumer Satisfaction

Massive numbers of password lockouts and reset attempts not only generate a high level of frustration among end-users, but also creates staffing challenges, encourages password recycling among users and inflicts damage to your business’s reputation.

An unexpected influx of authentication calls into a large organization’s call center can cost several dollars per call; however, customer frustration and lack of trust in an organization’s ability to protect sensitive account and personal information can be far costlier.

Stay Ahead of Cybercriminals

Credential compromise isn’t going away any time soon. Nor are bot attacks that enable cybercriminals to validate sensitive information that provides a hefty ROI for them and facilitates financial theft with increasing sophistication.

It’s essential that security professionals employ every weapon in their arsenal – from monitoring, to bot detection, device authentication, identity verification and malware prevention solutions.

The stakes of a credential breach are high, presenting an alarming risk your organization’s bottom line, reputation and customer trust and loyalty. No matter the type of information your business collects in its systems, it should be protected as if it were virtual gold, because to cybercriminals, it might just be.

Featured

  • Maximizing Your Security Budget This Year

    Perimeter Security Standards for Multi-Site Businesses

    When you run or own a business that has multiple locations, it is important to set clear perimeter security standards. By doing this, it allows you to assess and mitigate any potential threats or risks at each site or location efficiently and effectively. Read Now

  • New Research Shows a Continuing Increase in Ransomware Victims

    GuidePoint Security recently announced the release of GuidePoint Research and Intelligence Team’s (GRIT) Q1 2024 Ransomware Report. In addition to revealing a nearly 20% year-over-year increase in the number of ransomware victims, the GRIT Q1 2024 Ransomware Report observes major shifts in the behavioral patterns of ransomware groups following law enforcement activity – including the continued targeting of previously “off-limits” organizations and industries, such as emergency hospitals. Read Now

  • OpenAI's GPT-4 Is Capable of Autonomously Exploiting Zero-Day Vulnerabilities

    According to a new study from four computer scientists at the University of Illinois Urbana-Champaign, OpenAI’s paid chatbot, GPT-4, is capable of autonomously exploiting zero-day vulnerabilities without any human assistance. Read Now

  • Getting in Someone’s Face

    There was a time, not so long ago, when the tradeshow industry must have thought COVID-19 might wipe out face-to-face meetings. It sure seemed that way about three years ago. Read Now

    • Industry Events
    • ISC West
Most   Popular

Featured Cybersecurity

Webinars

New Products

  • ComNet CNGE6FX2TX4PoE

    The ComNet cost-efficient CNGE6FX2TX4PoE is a six-port switch that offers four Gbps TX ports that support the IEEE802.3at standard and provide up to 30 watts of PoE to PDs. It also has a dedicated FX/TX combination port as well as a single FX SFP to act as an additional port or an uplink port, giving the user additional options in managing network traffic. The CNGE6FX2TX4PoE is designed for use in unconditioned environments and typically used in perimeter surveillance. 3

  • PE80 Series

    PE80 Series by SARGENT / ED4000/PED5000 Series by Corbin Russwin

    ASSA ABLOY, a global leader in access solutions, has announced the launch of two next generation exit devices from long-standing leaders in the premium exit device market: the PE80 Series by SARGENT and the PED4000/PED5000 Series by Corbin Russwin. These new exit devices boast industry-first features that are specifically designed to provide enhanced safety, security and convenience, setting new standards for exit solutions. The SARGENT PE80 and Corbin Russwin PED4000/PED5000 Series exit devices are engineered to meet the ever-evolving needs of modern buildings. Featuring the high strength, security and durability that ASSA ABLOY is known for, the new exit devices deliver several innovative, industry-first features in addition to elegant design finishes for every opening. 3

  • Compact IP Video Intercom

    Viking’s X-205 Series of intercoms provide HD IP video and two-way voice communication - all wrapped up in an attractive compact chassis. 3