Cyber Trend Alert: Credential Stuffing and Credential Theft

Combat Credential Stuffing and Credential Theft

Cyber attacks are nothing new but unfortunately they’ve been growing at 450 percent since 2019. There are many types of these cyber attacks, but the most frequently successful ones are caused by stolen credentials, aka credential stuffing. The Colonial Pipeline breach was caused by credential stuffing. Learning the tools for combating these types of attacks is important for your business cyber security.

The Greatest Threat of Cyber Crime Is Stolen Credentials

Stolen credentials have become the greatest threat as well as the easiest information to access. More than one billion records have been compromised in the U.S. alone. According to the OAIC, 79 percent of cyber breaches are a result of compromised credentials. In our current society, a password is required for everything: online shopping, downloading an app for work, buying a new appliance, checking in with your doctor’s office to get results of a test and more. The demand for stolen credentials is enormous and growing.

The Way Stolen Credentials Are Used

Hackers gain access to your credentials several ways. Once they get them, they then have options to transfer those credentials into what is known as cleartext. If they have the wherewithal to crack your credentials themselves, they do so. If not, they can sell the hashes to someone else who has more advanced skills and experience with credential stuffing. 

When your password is translated into cleartext, it gets added to a collection of thousands of others and sold as a stuffing list. The attacker will then check every password on the list against thousands of websites and generate a list of working credentials.

Passwords Are Predictable, But Should Not Be

Simple passwords, simply put, should not be used. When a password has been hashed, it is scrambled for security purposes. But hashing that password cannot protect you from the dangers of credential theft. Although length doesn’t correlate to security, most passwords are too short at just seven characters. You may have noticed that many sites these days require at least eight characters including uppercase, lowercase, numeral and often a symbol.

Avoid Common Tactics for Making Passwords Stronger:

There are several common changes people use in passwords in an attempt at thwarting their credentials from being stolen. These are now well-known by cybercriminals and therefore are not the best option: 

  • Swapping  an O for 0 or vice versa
  • Swapping a $ for an S or an ! for a 1
  • Adding ! at the end of a password

Exposing the Types of Credential Stuffing

There are a variety of types of credential hacking, including phishing, spoofing, crypto-jacking, polymorphism, fileless malware and malicious insiders.  We’ve highlighted some of these below.

  • Phishing. Believe it or not, there are phishing kits that are selling rapidly on the dark web. Typically bought with cryptocurrency for anywhere between $50 to $100, they can be purchased in any language and configured for any type of attack. 

An excellent way to prevent phishing attacks is to pause for a minimum of 20 seconds. Look or hover over the sender’s address. If it looks like a site you know, such as Amazon, but does not have the normal Amazon address in the brackets, don’t open it and definitely don’t click on any link within it.  Check the domain before proceeding to enter your login information. You can also look to see if your password keeper populates on the site; it won’t if the domain is even slightly off.

  • Fileless malware. - Fileless malware is launched without a download. It leverages trusted binaries such as PowerShell, referred to as LOLBins, which are legitimate projects that are hijacked by malware. This type of attack is used to steal data like login information, or to crypto-jack users.

Malicious insiders. No employer wants to consider the idea that these attacks come from what is known as malicious insiders but some do: Therefore you need to take steps to prevent them. These insider attacks are usually financially driven. In order to effectively prevent them, try separating duties, rotating jobs, watching employee actions and checking your logs.

Bulletproof Your Cyber Security Threats

Combat these threats by creating a bulletproof strategic cyber security plan. It’s a key step in implementing better cyber security practices and combating credential stuffing.

Better cyber security starts with a risk assessment. There are seven steps in an effective assessment of cyber security:

  • Assess the value of assets in your network
  • Prioritize your assets
  • Identify possible threats to your network
  • Assess the weaknesses that may be exploited
  • Analyze existing controls to your environment
  • Document your security processes
  • Repeat the risk assessment

Use this assessment to develop your own strategic cyber security plan. It’s essential that your plan includes employee training and the utilization of a powerful security stack to mitigate cyber risks. 

A security stack might include dark web monitoring, multi-factor authentication, remote monitoring and management, backups, security training, cyber insurance and more depending on your business’s size and industry. By layering services, you can bulletproof your cyber security management.

Test Your Passwords

There is a mathematical tool that uses a formula to determine password entropy, or how disorderly it is. The higher the “E,” or entropy, the better the password. Ascore over 60 is preferable. 

E = log2 (RL)

E = password entropy

R = pool of unique characters

L = number of characters

The University of Illinois at Chicago offers an online password strength calculator that does not send your password out over the internet. 

No Need to Go IT Alone

And remember, you don’t have to handle IT alone. Seek a tested partner to execute your risk assessment and implement a reliable security stack. If your small or medium-sized business is in need of cyber security assistance, including combating credential stuffing, contact us or book a meeting.

Dave Hatter

Dave Hatter

Dave Hatter (CISSP, CCSP, CCSLP, Security+, Network+) is a cyber security consultant, writer, educator and on-air media contributor. See hundreds of Dave’s expert interviews on cyber security on his YouTube channel, or tune in to 55KRC every Friday morning at 6:30 for his “Tech Friday” segment.

Get This Free Resource to Protect Your Business

Checklist: "14 Non-Technical Things You Can Do Today to Protect Your Business from Cyber Crime"

Share this Blog