Thanks to the effectiveness of credential stuffing attacks, professional hacking groups have now adopted this method to attack financial institutions. Credential stuffing has become more attractive to these groups thanks to massive data breaches providing large lists of credentials for them to exploit. FBI warns the financial sector of this growth in credential stuffing attacks.
What is Credential Stuffing and How Does it Work
Credential stuffing is a relatively new type of attack. It involves using stolen credentials to gain unauthorized access to user accounts via large-scale automated login attempts. It relies on the fact that users often reuse the same password for multiple accounts and web applications.
Credential stuffing uses the following process:
- Harvest credentials – Collect leaked credentials associated with the target organization’s personnel using corporate websites, phishing emails, social media, breached records, hacker forums or the dark web.
- Access accounts – Test harvested credentials against the target organization’s applications, databases and websites using automated login attempts.
- Exfiltrate data – If a login attempt is successful, collect valuable personally identifiable information for use in future credential stuffing attacks. Or for other malicious actions, such as ransomware attacks, and stealing financial assets from online banking services and cryptocurrency exchanges.
- Expand stuffing list – Add new credentials and Personally Identifiable Information (PII) found during Step 3 to original list of harvested credentials. The expanded list can then be used in future credential stuffing attacks.
Why Has Credential Stuffing Become So Popular
Originally credential stuffing was mainly used by cybercriminals to target online services such as online gaming, video streaming and food delivery businesses. However, thanks to the effectiveness of this type of attack, professional hacking groups are now using it to target financial institutions.
Credential stuffing has become more attractive to these groups thanks to the numerous data breaches that have occurred in the last five years. Large data breaches, such as the one in November last year have exposed billions of records. Records that were then sold or given away for free on the dark web and on hacker forums.
Hacking groups began collecting this massive amount of data, which included leaked PII and credentials, to conduct credential stuffing attacks. Thanks to the volume of information available, hacking groups were able to successfully target online banking services and cryptocurrency wallets. Their aim being to steal financial assets.
Last week the FBI issued a security advisory about the increased use of credential stuffing attacks against US financial institutions. The advisory stated that between 2017 and 2020, credential stuffing and DDoS attacks accounted for most security attacks against the financial sector. It also explains that these two attack types are difficult to tell apart, as they both slow and/or crash networks. “While a DDoS attack is intended to take a system offline by flooding it with more traffic than it is designed to process, a credential stuffing attack is intended to gain system access using a high volume of login attempts to ultimately monetize access,” clarified FBI officials.
The FBI noted that many reports they had received regarding credential stuffing attacks involved Application Programming Interfaces (APIs). These attacks targeted APIs used by financial systems because they are less likely to require 2-factor authentication. APIs are also less monitored than user-facing login systems. Furthermore, credential stuffing attacks did not just target user profiles, the FBI said. They also targeted employee accounts, with hacker groups aiming to access high-privileged accounts. Some attacks were so massive they brought down financial institutions’ systems and led to multi-million-dollar losses.
The FBI advisory warns US financial institutions to take immediate proactive measures to protect their organizations from credential stuffing attacks. The advisory also includes basic credential stuffing detection strategies and provides recommended mitigation measures. These mitigation measures can not only be used by organizations in the finance sector but by organizations in all sectors.