Explanation
A Credential Stuffing attack is an automated injection of collected username and password combinations from breaches and infiltrations of other sites, used to gain unauthorized access to user accounts for the purpose of fraud.
To execute this attack, the attacker automatically inputs a large number of credentials into the targeted website until one or more matches are found with existing user accounts. The attacker then steals stored information, credit card numbers, and other identifying details of the account owner. They might also use this information for other malicious purposes, such as sending spam or phishing.
Credential Stuffing, a type of authentication-related attack, is a new form of attack aimed at gaining control and ownership of a user account. This attack is an emerging threat and poses risks not only to users and customers but also to large organizations and even small businesses.
Credential Stuffing is one of the most common methods used by cybercriminals to exploit stolen usernames and passwords. It is a subset of brute force attacks, but instead of using dictionaries of common words, it relies on credentials obtained from past security breaches and attacks on other websites.
While a brute force attack is an offline attack that uses dictionaries of passwords, Credential Stuffing is an online attack that leverages these stolen credentials. This makes the attack easier to execute and more successful, primarily because users often reuse the same passwords across different websites. Additionally, the availability of automated tools for executing this attack indicates that it doesn’t require extensive knowledge to carry out.
The above image symbolically illustrates the difference between a brute force attack and a credential stuffing attack.
Solution and prevention
- Use multi-factor authentication.
- Choose and apply policies about passwords, for example policies about not re-selecting old passwords or their complexity.
- Educate employees and users about selected policies and existing threats.
- Use CAPTCHA.
- Block traffic directly from service providers such as AWS.
- Check headers of requests and if there are traces of attack tools, limit their access or block requests.
- Collect unique data such as a combination of installed fonts, plugins installed on the browser and hardware used by each user and block requests to protected URLs through JavaScript without this information.
- Block requests sent by automatic and headless browsers such as PhantomJS and headless Chrome and force the execution of JavaScript code contained in the server response (for example, code to create a valid token that must be included in requests), forcing the attacker to use the browser Make sure you have enough information in case of an accident.
- Block requests originating from private, non-routable IP addresses in any IP range as well as malicious IP addresses collected on some websites such as www.abuseipdb.com.
- Use multi-step processes to log in to the website.
- Limit the number of attempts to authenticate on the website in a certain period of time.
References
- https://www.owasp.org/index.php/Credential_stuffing
- https://cheatsheetseries.owasp.org/cheatsheets/Credential_Stuffing_Prevention_Cheat_Sheet.html
- https://www.csoonline.com/article/3448558/credential-stuffing-explained-how-to-prevent-detect-and-defend-against-it.html
- https://medium.com/@jsoverson/10-tips-to-stop-credential-stuffing-attacks-db249cac6428
