Cómo detectar y prevenir ataques de relleno de credenciales, craqueo de credenciales y robo de cuentas

Account takeover (ATO) is a type of automated threat where bad actors compromise online accounts, usually gaining access via automatic credential stuffing and credential cracking attack techniques.

By learning about the automated threats of credential stuffing, credential cracking, and account takeover, you can better protect your website and business against these automated bot attacks, which harm both you and your customers.

In this article, you will discover how criminals use automated credential stuffing and credential cracking to perform account takeover bot attacks, who uses such attacks and why, how the attacks unfold, how to protect your website, and in what ways DataDome protects against 100% of automated OWASP threats—including credential stuffing and credential cracking—and prevents account takeover attacks.

Summary

• What is credential stuffing and credential cracking?
• Who uses credential stuffing and credential cracking, and why?
• The anatomy of an account takeover attack
• The potential consequences of such attacks
• How to prevent credential stuffing attacks
• How DataDome protects against credential stuffing and credential cracking to prevent account takeover

What is credential stuffing and credential cracking

Definitions

Credential stuffing (OAT-008) is an automated threat that uses malicious bots to “stuff” known usernames and passwords (typically sourced from data breaches) into online login pages to gain access to user accounts.

Credential cracking (OAT-007) is a malicious attempt to find usable login credentials by using automated brute-force password cracking tools, testing vast numbers of different values for usernames and passwords.

Credential stuffing and credential cracking are the primary methods hackers use to accomplish account takeover—the unlawful accessing of a user account to commit fraud.

A brief history of credential stuffing attacks

In 2014, the first signs of credential stuffing attacks were identified when hackers on the dark web started offering services to monetize compromised account credentials. According to Recorded Future, early credential stuffing tools were priced between $50 and $250 and could target a specific company.

Initially, the tool would perform credential stuffing to validate the email and password sets. Hackers then would need to spend additional funds to buy advanced account checking tools to collect information from the compromised account.

Now, hackers can get started with credential stuffing attacks by investing as little as $500 in credential stuffing (otherwise known as “account checking”) software, access to email and password combo lists, and the use of both public and private proxy services for obfuscation. Today’s automated credential cracking and credential stuffing tools are designed to check hundreds of thousands of credential combinations against multiple websites.

Famous breaches

In early 2019, Dunkin’ Donuts announced it was the victim of an account takeover attack affecting 1,200 of their 10 million customers. Cybercriminals used credentials from previous data breaches to gain access to DD Perks rewards accounts, which housed member names, email addresses, a 16-digit DD Perks account number, and a DD Perks QR code. The hackers’ goal in this attack was to sell access to the compromised accounts—and the rewards points stored inside.

A few months later, the much-anticipated rollout of the Disney+ streaming service was marred by disruptions as customers tried unsuccessfully to access their accounts. The source of the problem? Credential stuffing. Just hours after the launch, Disney+ account credentials were put up for sale on dark web forums. By testing massive volumes of previously stolen usernames and passwords on the Disney+ streaming site, hackers could easily identify valid credential pairs.

Who uses credential stuffing and credential cracking, and why?

The goal behind credential stuffing and credential cracking schemes is to monetize comprised accounts by accessing linked bank accounts, credit cards, and exploiting personal data to perform identity theft.

The most profitable form of account takeover is credit card fraud. Carding is the widespread practice of using stolen credit card numbers to make purchases using false accounts.

An account takeover attack can also be used to steal the private data of customers, which can then be sold on the darknet or leaked online for harmful purposes.

The organizations primarily targeted by credential stuffing attacks include e-commerce, financial, social media, information technology, restaurants, retail, and the travel and transportation industries.

The anatomy of an account takeover attack

In order for an account takeover attempt to be worthwhile to threat actors, they typically need to try a vast number of credentials as quickly as possible—a perfect job for a bot.

Credential stuffing relies on the widespread problem of password reuse to gain access to online accounts. Because 81% of individuals reuse the same or similar passwords for multiple accounts, malicious threat actors with access to leaked credentials list have an easy time finding valid login and password combinations.

The threat actors use bots to automate login attempts with large volumes of stolen credentials.

Figure 1 – OWASP, OAT-008 Credential stuffing attack process

As for credential cracking, weak passwords make it easy for bad actors to brute-force their way into company and customer accounts.

Figure 2 – OWASP, OAT-007 Credential cracking attack process

When the cybercriminals manage to find a valid set of credentials, they can take control of online accounts: account takeover. Once logged in, they can perform unauthorized transactions, unbeknownst to the victims, and are often undetected for extended periods.

Read more: Behind the scenes of a massively distributed credential stuffing attack

The potential consequences of attacks

Even when unsuccessful, credential stuffing and credential cracking attacks can result in significant traffic spikes, poor site performance and even site downtime.

Account takeover is a serious threat to e-commerce and classifieds businesses because it’s:

• difficult to detect, as bad actors sign in with legitimate credentials
• simple for bad actors to automate and replicate the login process against target sites
• easy for anyone to perform using publicly exposed credential lists from data breaches, as well as easily accessible exploit tools

Account takeover attacks hurt a company’s reputation, drive away customers, and can leave a hefty penalty—up to 4 percent of global annual turnover—if found in violation of the EU’s General Data Protection Regulation (GDPR).

Account takeover attacks are among the most significant cybersecurity threats that online businesses and consumers currently face. According to Javelin Strategy & Research, both incidents and losses related to account takeover in 2018 remained higher than in previous years, with total monetary costs estimated at $4.0 billion.

How to prevent credential stuffing attacks

Traditional security solutions tend to rely heavily on IP reputation, based on the assumption that any malicious activity from an IP address means that all activity from that IP is likely to be hostile. Today, threat actors distribute bots via residential IPs, which benefit from excellent reputations and where the requests they send are indistinguishable from those generated by ordinary users. IP-based approaches are, therefore, no longer efficient.

Additional protection methods can help detecting and preventing credential stuffing attacks and account takeover by:

• Providing a Multi-Factor Authentication (MFA) option for accounts
• Encouraging the use of password managers for unique, strong password generation
• Monitoring web traffic for the same IP with varying subnets (a sign of a proxy service)
• Investigating cybercriminal underground activities for schemes targeting your company
• Training workforce members to defend against automated e-commerce bot attacks

However, to efficiently protect against credential stuffing, credential cracking, and account takeover, a security solution with real-time detection and protection capabilities is crucial.

A good bot detection solution will be able to quickly identify visitor behavior that shows signs of credential cracking or credential stuffing attempts. To correctly identify fraudulent traffic and block account takeover attempts, the bot detection solution must analyze both technical and behavioral data.

Technical data may include such information as user agent, IP owner, and geolocation. Behavioral signs of bot activity could be the number of hits per IP address, crawling speed, crawling frequency, and many others.

When malicious bots are detected, the account takeover detection software can then either trigger alerts or automatically block the bots before your user accounts have been compromised. While all this occurs, the user experience for genuine human visitors must not be disturbed.

How DataDome protects against credential stuffing, credential cracking, and account takeover

Since both bots and humans now use the same browsers and IP addresses, credential stuffing protection must be a real-time, automated process. Humans can no longer act fast enough to match the technical prowess of bots, but artificial intelligence can. With real-time event tracking and behavioral detection, DataDome can identify and protect from the most sophisticated credential stuffing attacks.

DataDome’s bot detection engine compares every hit to your website with a massive in-memory pattern database and uses a blend of AI and machine learning to decide in less than 2 milliseconds whether to grant access to your pages or not. DataDome’s algorithm analyzes billions of daily events and continuously updates to identify both known and zero-day threats.

DataDome is the only credential stuffing and account takeover protection solution delivered as-a-service. DataDome deploys in minutes on any web infrastructure, is unmatched in detection speed and accuracy, and runs on autopilot. You’ll receive real-time notifications whenever your site is under attack, but you don’t have to do anything. DataDome requires no daily interventions from your teams.

Ready to identify, stop and prevent credential stuffing attacks in minutes? Start your free trial or contact us to request a demo.