Free Guide
16 Questions You MUST Ask Before Hiring Any IT Company
Automation has revolutionized cybersecurity. All organizations use automation to perform a slew of repeated and mundane tasks in seconds with utmost efficiency without any manual invention. That includes cybercriminal organizations. Unfortunately for businesses, automation has facilitated the resurgence and upward growth of a devastating classic cyberattack technique that’s been updated for the modern era: credential stuffing.
Compromised credentials fuel attacks:
Businesses and personnel use hundreds of applications and websites for various digital services. Almost all these websites and apps use passwords for user authentication. Users often reuse the same passwords across multiple online services to manage these online accounts. Over 60% of people habitually reuse passwords across multiple sites and applications. While password reuse might be a convenient way for them to juggle through many online accounts, it has made them attractive targets for cybercriminals, who often rightly assume that passwords stolen from one company may provide the keys to a host of other accounts.
Credential stuffing is a cyberattack where threat actors repeatedly attempt to log in to a user’s online accounts using stolen usernames and passwords. Sometimes, those credentials have been stolen in a previous breach. Cybercriminals may purchase credentials files or harvest them from dark web data dumps. However they do it, cybercriminals tap into users’ habit of using the same password for multiple accounts and use it to harm businesses through credential stuffing. Credential stuffing is a hazardous problem for retailers. Attackers used leaked credentials more than 90% of the time in credential stuffing attacks targeting retailers, compared to just under 70% of the time in other industries.
Credential stuffing has leveled up:
There are plenty of password and username pairs for cybercriminals to deluge businesses within the course of a credential-stuffing attack available right now. According to a survey, more than 15 billion stolen credentials are circulating on the dark web, which grows yearly. Automation has made the process of credential stuffing easier than ever for the bad guys. After getting their hands on user credentials, attackers typically leverage software or other automation tools like bots capable of transmitting a sustained barrage of login attempts simultaneously without human intervention. A recent study on retail cybersecurity challenges showed that nearly one-quarter of the traffic on retail websites (23%) was explicitly attributed to malicious bots. Once the bad actors deploy their bots, they have to monitor the operation to see which one unlocks the door and gives them access to a user’s account.
One compromised credential brings serious consequences:
Once cybercriminals can access a user account, they can view the holder’s personal information and leverage it in many damaging ways. Bad actors can use it to launch successful social engineering attacks, sell that information on the dark web, or make fraudulent transactions if they find financial information. Sometimes, they perform account takeovers on the cracked accounts and use them in business email compromise schemes. The technique is the prime culprit in one-quarter of data breaches.
Although most login attempts in a credential stuffing attack fail, a single attack can yield thousands of compromised accounts due to the sheer volume of shots. Automation has enabled bad actors to send more photos than ever at a target over a very short period. With the high likelihood that someone has reused a compromised credential, there’s a high chance that the bad guys will get a hit. The aftermath of a credential stuffing attack can be gauged from the Ponemon Institute’s Cost of Credential Stuffing report, which concluded that businesses lose an average of $6 million per year to credential stuffing in the form of application downtime, lost customers, and increased IT costs.
Three defensive tips to mitigate credential stuffing risk:
Due to the prevalence of credential stuffing attacks, businesses must prepare for an eventuality where such an attack can come knocking down their doors someday. An estimated 81% of data breaches are due to poor password security. Therefore, every company that maintains online customer accounts must take action to ensure that they’re making all the right moves to mount an effective defense against credential-stuffing cyberattacks:
Source: ID Agent