International. According to F5 Labs' Credential Stuffing Report 2021, credential spill incidents double as the sophistication of cybercriminals increases. Credential stuffing, which involves the exploitation of large volumes of compromised usernames and/or email and password, is a growing global problem that has doubled in the 2016-2020 period, according to the latest edition of the report. In 2020, 2 million records were affected, which is 234% more than in 2019.
A recently released FBI report warns that credential stuffing has been the top security threat to the financial sector during the 2017-2020 period, accounting for 41% of total incidents.
"Cybercriminals have been collecting billions of credentials for years. Credential spills are like an oil spill, once they occur, they are very difficult to clean, because users do not change their data and passwords and companies have not yet massively adopted solutions that prevent credential stuffing. This type of attack has a long-term impact on application security," said Sara Boddy, Senior Director of F5 Labs. "If it's being hacked right now, it's most likely due to a credential stuffing attack."
Sander Vinberg, Threat Research Evangelist at F5 Labs and co-author of the report, calls on organizations not to let their guard down. "Access attacks, which include credential stuffing and phishing practices, are already the main cause of breaches. It is highly unlikely that the security teams of organizations are winning the war against data exfiltration and fraud, what we are seeing is a stabilization of an increasingly mature market."
Poor password storage
According to the F5 report, poor password storage remains one of the most recurring problems. Although most organizations do not disclose their password algorithms, F5 has had the opportunity to study 90 specific incidents that give insight into the most likely causes of credential spillage.
Thus, in 42.6% of credential spills in the last three years, it has been found that there was a lack of protection for passwords stored in plain text.
Another observation of this report is the increase detected in fuzzing techniques with the aim of improving the success rate when it comes to exploiting stolen credentials. Fuzzing is a process that seeks to find vulnerabilities by analyzing input codes, repeatedly testing with modified inputs. F5 has proven that it is a very common practice among the most advanced attackers.
In the 2018 edition of the Credential Stuffing Report, F5 noted that a credential spill took an average of 15 months to become public. At the moment, that period has dropped to 11 months. For its part, the average time to detect an incident of this type is 120 days.
Five phases of credential abuse
The announcement of a spill usually matches the credentials that appear on the Dark Web forums. For the 2020 Credential Fill report, F5 specifically looked at the crucial period between credential theft and their publication on the Dark Web.
Four Fortune 500 customers were studied: two banks, a retailer, and a food and beverage company, accounting for 72 billion login transactions over 21 months. With Shape Security technology, researchers were able to "track" stolen credentials through their theft, sale, and use.
According to the study of the four organizations, F5 identifies five phases of credential abuse:
• Stealthy: Compromised credentials were used stealthily up to a month before a public announcement. On average, each credential was used 15 to 20 times a day in attacks across all four websites.
• The increase: In the 30 days before the public announcement, F5 saw the credentials circulating on the Dark Web. More attackers gained access to the credentials, which is why the number of attacks per day is constantly increasing.
• The bombing: As the credentials became public, fans began to use them on major web properties. The first week was particularly active, and each account was attacked on average more than 130 times a day.
• The drop/new equilibrium: After the first month, F5 identified a new balance of approximately 28 attacks per username per day. This is due to a subset of novice attackers still targeting high-value companies with "outdated" credentials.
• Reincarnation: After conducting credential stuffing attacks on a variety of websites, a subset of criminals set out to repackage valid credentials to extend their lifespan and continue to exploit them.
"Credential stuffing will remain a threat as long as users continue to be required to log in to their online accounts. Attackers will continue to adapt their attacks to new fraud protection techniques. It is impossible to instantly detect 100% of attacks, but it is possible to make attacks more expensive to try to make fraudsters give up," concludes Boddy.
Complete study at F5 Labs.
Leave your comment