arrow left facebook twitter linkedin medium menu play circle

The Worrisome Rise of Credential Stuffing

DataVisor Threat Blog

By Ting Fang Yen March 18, 2019

Photo of Ting Fang Yen

about Ting Fang Yen
Director of Research // Ting-Fang specializes in network and information security data analysis and fraud detection in the financial social and eCommerce industries. She holds a PhD in Electrical and Computer Engineering from Carnegie Mellon and has previously worked for E8, RSA, and Microsoft.

How to prevent coordinated, automated, big data-scale ATO

Account takeover (ATO) is not only one of the most dangerous forms of online fraud; it is increasingly one of the most common. The prevalence of readily accessible user data—the result of ongoing massive data breaches—makes this uniquely hard-to-spot attack type particularly appealing to fraudsters, and increasingly powerful automation capabilities are giving rise to an especially damaging breed of ATO. It’s called credential stuffing, and seemingly no organization is immune—in recent months, companies ranging from Dunkin’ Donuts and DailyMotion to OkCupid and Reddit have suffered massive credential stuffing ATO attacks.

Big data-scale ATO

In its simplest form, ATO is precisely what it sounds like—a legitimate user account gets taken over by a fraud actor who has obtained the necessary credentials to enter the account. What makes credential stuffing unique—and uniquely concerning—is the scale. In a credential stuffing attack, fraudsters leverage massive troves of leaked legitimate user credential data to begin firing pairs of names and passwords at other sites in hopes of getting a “hit”—an instance in which a combination works, and a hacker gets into an account. Once in, the fraudster is free to eke as much value from the account as possible.

The high value of your personal and financial data

ATO attacks of any type are dangerous because they involve real accounts created by real users. When a fraudster gets into a legitimate account, they get unrestricted access to that users’ personal and financial data. They can use that information for their own fraudulent activity, or they can sell the information on the underground market. The latter can be extremely lucrative, as can be seen from some of the numbers recently provided by Grove Technologies, in an article titled What is Your Personal Information Worth on the Dark Web:

  • Social Security number: $1
  • Driver’s license: $20
  • Online payment services login info (e.g., Paypal): $20-$200
  • Diplomas: $100-$400
  • Passports (US): $1000-$2000

Hacked accounts are not only used for harvesting existing financial credentials or personal data. In a large-scale credential stuffing attack we recently observed at a Fortune 500 e-commerce site, the attackers mainly used the compromised accounts to validate stolen credit card numbers. If a credit card is invalid or known to be compromised or stolen, the site will reject the “add card” action and display a warning message. In this way, fraudsters can easily determine which cards are viable for future fraudulent activity.

The Dunkin’ Donuts Hack

Another way fraudsters accrue value from hacked accounts is through the accumulation of “virtual” currency such as rewards points that can be converted into merchandise and benefits. A recent high-profile example is the Dunkin’ Donuts hack, announced on February 12, 2019, and described in an article from ZDNet. In the attack:

“Hackers used user credentials leaked at other sites to gain entry to DD Perks rewards accounts, which provide repeat customers with a way to earn points and use them to get free beverages or discounts for other Dunkin’ Donuts products. The type of information typically stored inside a DD Perks account includes a user’s first and last names, email address (also used as username), a 16-digit DD Perks account number, and a DD Perks QR code. But hackers weren’t after users’ personal information stored in Dunkin’ Donuts rewards accounts. Instead, they were after the account itself, which they are selling on Dark Web forums.”

Preventing credential stuffing ATO attacks

One of the biggest challenges in preventing credential stuffing attacks is that users continue to reuse passwords across sites. This fact, combined with the overwhelming magnitude of data breaches in recent years—according to the Breach Level Index, more than 6 million records are lost or stolen every day—means virtually no site is immune.

Another significant challenge to prevention is that attacks are automated and executed at scale. Attackers often employ massive botnets—a connected network of compromised machines—to do their bidding. By scripting these “bots” to perform login attempts, the attack is scaled out across hundreds of thousands to millions of IP addresses, with each IP only generating a small number of events. DataVisor estimates that 50% to 80% of account takeover attacks on financial services are conducted via coordinated attacks like this, and this number can be up to 95% on social or gaming platforms.

Blocking individual IPs may slow the attackers down at first, but fraudsters are quick to pivot and bypass static blacklists by using a different botnet, or other proxies and anonymous routing services. Blacklists also need to be updated frequently, and, by definition, are reacting after the fact.

There are solutions of course, but the best defense—multi-factor authentication—brings with it high user friction and high deployment costs.

This is one reason why advanced detection tools are so important, though detection itself has its own challenges when it comes to preventing credential stuffing attacks, because these attacks harness legitimate user accounts. It’s one thing for fraud management systems to detect fake accounts, but it’s another thing altogether to detect fraud when it appears in the form of real users.

Effective ATO prevention strategies must be proactive

Credential stuffing attacks are coordinated, automated, and massive in scale. To prevent ATO of this type, an advanced fraud management solution is required; one that can review users and events holistically, and reveal the clandestine correlations and patterns that signify fraudulent attacks. Attempted ATO that is the result of credential stuffing must be stopped at the point of login, but this is extremely difficult because accounts are compromised using legitimate credentials. Accordingly, it is the method of attack that must be spotted. Only in this way can credential stuffing fraudsters be disarmed before they do real damage.


Popular Posts

Intelligent solutions. Informed decisions. Unrivaled results.

DataVisor Fraud Index Report: Q2 2019

Learn More

The DataVisor Q2 2019 Fraud Index Report is here.

Customers online want convenience, ease, and access. Fortunately, your business offers it all. Unfortunately, that’s what fraudsters want too. To a cyber criminal, those features means vulnerabilities. To bring you the very latest and most actionable insights about where the risks are and what you…

Dumb & Dumber vs Ocean’s 11

Learn More

Understand the range of modern fraud attacks to ensure complete coverage for your organization.

Complex and coordinated fraud attacks that are extensively planned, hard to detect, and highly scalable are the new normal for online platforms. Explore and understand the full spectrum of fraud attacks—from simple to sophisticated—and learn how you can defend against each type in this…

Diagnose and Defeat Application Fraud with the Latest AI-Powered Tools

Learn More

Learn how leading financial institutions are using ML to proactively detect card application fraud.

In this insightful webinar, you’ll explore how organizations are leveraging AI-powered fraud management solutions to get tangible, real-world benefits as they work to proactively detect and defeat sophisticated modern fraud attacks. Plus, you’ll discover strategies for empowering cross-team…


Protect your business, your customers, and your data.

Request Demo