Credential Stuffing: The Financial Sector’s New Headache

Banks and other financial institutions have long been the targets of hackers. Not only do they deal with massive amounts of funds daily, but they are also entrusted with valuable personal information that stealing it is a major goal for many cyber criminals. This treasure trove of personal information includes credit card data, customer information, and the wealth of corporate data that can be sold off or exchanged by those looking to make a quick profit or get an edge over a business competitor. Now they have a new increasingly popular threat to combat. Credential stuffing is an emerging attack method which can be considered a brute force attack. Credential stuffing is the automated injection of breached username and password pairs in order to fraudulently gain access to user accounts. Access to accounts is done by using large numbers of spilled credentials are automatically entered into websites, often by botnets) until they are potentially matched to an existing account, which the attacker can then hijack for their own purposes.

2018 State of the Internet Report

According to Akamai’s 2018 State of the Internet Report this emerging threat is increasing in popularity. One of the core problems underlining the threat is the consumer and employee security practices and the use of the same password and email combinations for multiple online services. While this is often done for convenience but discourages by security experts, the danger exists that when a data breach happens to an online service then hackers may have access to numerous other websites. For example, in 2012 LinkedIn suffered a major data breach in which approximately 112 million credentials were exposed. These credentials could then make their way onto the Dark Web, sold, then used in a credential stuffing attack. All the hacker would need to do is add those credentials to batch scripts which will automatically attempt to fraudulently log into user accounts.

credential stuffing

A recent example of a successful credential stuffing attack occurred in July of this year. It is widely believed that the storage service Mega suffered such an attack when thousands of account credentials were leaked as a result of credential stuffing, rather than a compromise of Mega's systems. If a financial account is compromised in such a way, this may lead to the theft of funds or stock portfolio tampering. If the account belongs to an employee of the organization, the damage could be deeper, with the compromise of internal banking systems. Akamai has witnessed a surge in credential stuffing attacks of late. Between November 2017 and June 2018, over 30 billion malicious login attempts were recorded. Fortunately, the success rate of such attacks is relatively low. However, due to the ease at which an attack can be conducted lends to its popularity.

Case Studies

In the published report by Akamai, two separate cases were explained. In the first unnamed Fortune, 500 company experienced a credential stuffing attack. Login attempts jumped from an average of 50,000 an hour to over 350,000 in a single afternoon. Examination of the spike in traffic revealed a botnet which had been ordered to send hundreds of malicious login requests per minute. After six days the firm recorded over 8.5 million malicious attempts that were generated by the botnet. This was on top of the legitimate seven million logins. In total, the botnet compromised 20,000 endpoints.

The second case related to a US credit union which became the target of automated credential stuffing. The union would often record a spike in traffic around lunchtime which could sometimes reach 45,000 login attempts every hour. However, experts noticed a major spike in login attempts. Over several days the login attempts rose to 4.2 million. This spike was caused by a noisy and easily detectable botnet, that had the unexpected result of allowing security analysts to detect a further two botnets. According to the report, the US, Russia, and Vietnam are the primary sources for credential stuffing attacks.

Costs associated with such Attacks

In an infographic published by Akamai and Ponemon, the potential costs of suffering a credential stuffing attack were shown. It was suggested that up to 70 percent of individuals within organizations believe the tools needed to defend against these attacks diminish the web experience of legitimate users adding reputational damage as well as financial damage to an organization. In terms of finances, the attack costs businesses up to 6 million USD per year. Perhaps due to the relatively recent emergence of credential stuffing attacks targeting financial institutions only 30 percent of companies have introduced tools and solutions to mitigate the threat of compromise.

Akamai concluded that:

“Every business is impacted by credential stuffing botnets. Many businesses just see the traffic because of scattershot scans, but financial services and retail sites are prime targets. Account takeover is profitable for attackers, guaranteeing that it will be a threat for the foreseeable future.”

Recently financial institutions have come under increased attack. Hackers stole 13.5 million USD from Cosmos Bank in India. The MoneyTaker hacking group is suspected of stealing millions from banks in the UK, US, and Russia. Tech giant IBM is receiving more requests than ever to improve the security of ATMs following numerous instances of ATM jackpotting campaigns and other scams. Given the sudden rise in popularity of credential stuffing attack, financial institutions will be placed under further strain in trying to shore up their cyber defenses.