Leaked credentials are the dark web’s bestseller, stolen through data breaches, credential stuffing and phishing campaigns. Learn how Cybersixgill can stop the leak at the first drop.
Recently we published a guide to the top 5 cybersecurity risks, authored by Brad LaPorte, a former Gartner Senior Director Analyst and Cybersecurity Industry Expert. Last year was the worst year on record for cybersecurity attacks, with account takeover (ATO) attacks - including credential stuffing and phishing campaigns - constituting the number one cause of breaches. After so many years of fielding phishing attempts on a daily basis, haven't we learned to be wary of deals that are too good to be true, or offers from major companies coming from unrelated domains? Unfortunately, even one corrupted account can be enough to compromise an entire network. Shuman Ghosemajumder, a former Google click fraud expert, determined that attacks using leaked credentials can have up to a 2% login success rate. So phishing, like fishing, requires patience, a wide net, and good bait.
Account credentials can also be exfiltrated in bulk by cybercriminals through network breaches, brute force tactics, keylogging and man-in-the-middle attacks. Ultimately, these leaked credentials will end up for sale on the dark web. Here is a recent price list: the cost of bank login credentials average $25, full credit card details can sell for $12–20, and you can even buy enough sensitive information to steal a person's identity for $1,275.
What is a Credential Stuffing Attack?
Credential stuffing is the process of testing large sets of leaked credentials against targeted applications or web interfaces. Lists of thousands or millions of usernames/email addresses and the matching passwords (usually obtained from data breaches), are used to gain access to user accounts through large-scale automated login requests directed against a web application. Compromised credentials exfiltrated through these data breaches are used to build “dictionaries” or “combo lists,” which are then traded and sold on the dark web to be used for credential stuffing operations. A criminal simply automates the logins for a large number of leaked credential pairs using known web automation tools such as Selenium, cURL, PhantomJS or tools designed specifically for these types of attacks, such as Sentry MBA, SNIPR, STORM, Blackbullet and Openbullet. With companies getting breached on a regular basis, the lists of leaked credentials keep getting bigger.
Credential stuffing attacks are possible because many users have the habit of reusing the same username/password combination across multiple sites. With the 2% login success rate mentioned above, one million stolen credentials can take over 20,000 accounts, making this a highly profitable venture.
Fight Automation with Automation
One way to protect against leaked credential exploitation is to use unique passwords for each account, such as those generated automatically by a password manager. Another is the implementation of multi-factor authentication with the login process, which involves relying on employees to complicate their usual login processes with extra steps, requiring their patience and cooperation. Still, even these security protocols may not be enough to stop the leak. A more centralized solution is to receive automatic notifications on leaked employee and customer credentials through the Cybersixgill Investigative Portal. These automated alerts are fully customizable, warning you in real-time of leaked organizational data, including OCR extracted text from images to identify logos and designs.
Credential stuffing has become a popular weapon of choice for fraudsters. Millions of leaked credentials are easily discoverable and exploitable using bots and malicious automation. To overcome this type of attack, one must fight machine with machine with superior threat intelligence for proactive defense. With cybercriminals weaponizing machine learning and artificial intelligence for malicious purposes, ensure that your cyber defense system is automated as well.
Learn how to access leaked credentials on the dark web with our Investigative Portal