Credential Stuffing: Fight Back Against Bot Attacks

by Michael Lynch, InAuth Chief Strategy Officer

Credential compromise—which encompasses the theft, spilling and stuffing of user account information – has remained the methodology of choice for committing fraud for a long time. It entails infiltrating a company’s systems, stealing credentials like email addresses, user IDs and passwords, and then either using them directly for theft or selling them on the dark web to other criminal actors.

Its longevity can be attributed to ongoing success enabled by several systematic failures, including end-users’ propensity to recycle passwords from site to site, companies’ failure to identify and report compromises in a timely manner, weak systems security measures, as well as a hefty return on investment for fraudsters.

Credential stuffing plagues both businesses and end-users who transact across digital channels in increasing numbers and with increasing frequency, resulting in both hard-dollar costs and other, less obvious, but equally costly, ramifications.

Fortunately, the risk of credential compromise can be mitigated if you know what to look for and appropriate technology measures are deployed to combat it before it happens.

Credential compromise includes a complex ecosystem of activities and exploits common consumer behaviors. After obtaining credentials through fraudulent means, fraudsters must then test the validity of the credentials in order to demand a higher price for the information. One means of testing credentials involves credential stuffing, in which criminal actors employ automated means (bots) to test stolen passwords en masse against websites.

Credential stuffing involves mass testing of stolen login IDs and passwords using bots to automate the process. Bots in this context refer to malware infecting one or more computers or mobile devices that allows a criminal actor to takeover, control and use the infected machines to perform automated tasks, such as attempting account logins over numerous sites using stolen credentials. Bots are essentially the tool cybercriminals use to weaponize stolen credentials.

Bots: A Vexing Problem

Bots can be particularly vexing for enterprises that operate over self-service digital channels. Traditionally deployed over desktop machines, bots are also now leveraging mobile devices. Bots are masters of impersonation, making them difficult to detect on the surface, often appearing as typical device configurations, using a different IP address for every attempt and operating on known browsers, like Chrome or Safari. The very nature of commandeering an armada of ordinary machines makes bots exceptionally effective.

In many cases, bots can be engineered to make Web traffic appear to originate in the U.S., while actually originating in China or Russia, for example. Bots are also increasingly growing more sophisticated – they can load JavaScript, hold onto cookies, and can randomize their IP address, headers and user agents. And they employ multiple methods of accessing the sites they attempt to test, including headless browsers, browser automation tools, and man-in-the-browser malware, in addition to the ability to execute JavaScript, etc.

Fortunately, using a combination of low and high-tech approaches to detection, enterprises can reduce the likelihood and damage inflicted by a bot attack.  Using a variety of techniques to identify and screen-out bots is a crucial factor in slowing and stopping them before they inflict costly damage both in terms of expense and reputation.

Combating Bots

On the low-tech end of the spectrum, a bot attack may appear as a spike in site traffic or velocity. Where traffic refers to an increased number of visits, velocity refers to a spike in traffic generated by one device. Either statistic may be affected based on how widely the bot is distributed.

Site statistics should be reviewed regularly to identify traffic patterns and investigate if anything unusual appears. Other out-of-the-ordinary occurrences to remain on the lookout for include a higher-than-usual login failure rate and downtime precipitated by increased site traffic.

In addition to employing a keen sense of observation, higher-tech solutions also exist to slow or stop bots.

Technology that can detect potential velocity attacks can be used identify and screen-out the bots. These solutions work by flagging devices that are used to perform multiple unusual behaviors (usually at a high rate of speed). If a device performs multiple login attempts on multiple accounts over a short period of time, this could signal the use of a bot.

However, many of these bot detection tools fall short of true identification because they rely on IP addresses or cookies in their model. This method of identification is easily thwarted by sophisticated bots that change their IP address continually or clear/disallow cookies. Sophisticated bots like these require more sophisticated screening technologies.

Such tools make it easier to employ both static techniques, such as detecting the presence of malware on the device, and a more complete behavioral analysis—detecting a high number of attempts, a high number of failures, unusual traffic patterns, unusual location or repeated attempts from the same location, unusual speed of access attempts—that is more accurate and not so easily fooled.

Aside from bot detection, deploying security solutions that employ multi-factor authentication (MFA) is also a smart strategy for detecting and preventing fraud across the board. Solutions that facilitate a shift away from traditional password reliance offer the strongest level of identity verification. A permanent device ID is a way to identify a device and its riskiness. A mobile phone, for example, has thousands of unique identifying attributes that are part of the device itself and can be used to uncover and analyze risk factors that could lead to potentially fraudulent activities.

Credential compromise isn’t going away any time soon. It’s essential that security professionals employ every weapon in their arsenal—from monitoring, to bot detection, device authentication, identity verification and malware prevention solutions—to avoid costly financial and reputational damage.
About the Author

Michael Lynch is InAuth’s Chief Strategy Officer and is responsible for developing and leading the company’s new products strategy, as well as developing key US and international partnerships. He brings two decades of experience in key roles within financial services, consulting, and Fortune 500 companies, specializing in security and technology leadership.