Credential Stuffing

How Fraudsters Launch Account Takeover Attacks in 3 Steps

October, 21, 20215 min Read

Credential stuffing attacks are where fraudsters match thousands of stolen username-password combinations to arrive at valid combinations. To achieve scale at the least possible investment, they deploy automation  

Automated credential stuffing is one of the most cost-efficient methods fraudsters use to tailor their attacks according to the target industry or sector. It allows them to launch strategic attacks and maximize profits with the least possible investments.

The internet and the dark net are replete with consumers’ personally identifiable information, which can be obtained easily and cheaply. Then there are tools that facilitate quick mapping of stolen details to match valid combinations. This is a common technique that would work well for, say an eCommerce or a travel website. For the financial services sector, however, where emails are not used as usernames, fraudsters resort to using malware or phishing to trick users into sharing account details. Similarly, when the objective is to compromise a system administrator account, fraudsters use a dictionary attack.

A credential stuffing attack typically involves three steps:

Credential Harvesting:

Where attackers acquire user data by deploying a range of techniques namely: phishing, malware attacks, or exploiting security loopholes in business networks. These databases, on their own, can fetch lucrative rewards when sold on the public or dark net. Fraudsters can sell these databases multiple times over to maximize returns until the databases become dated.

Credential Checking:

Next, fraudsters check the harvested details against multiple targeted websites. To achieve scale, they use botnets that are easily and cheaply available. Some of these automation solutions come with tutorials as well as support, which makes this step ridiculously easy even for an amateur, wannabe fraudster. They can just enter the list of stolen credentials into the tool, configure proxies, define the target and sit back to get the results. The tool will attempt to log in against the targeted website using the credentials and provide a report of the valid and verified username and password combinations. Since nearly 59% of people are estimated to reuse their passwords for ease of remembering, it improves the chances for fraudsters to find valid accounts. 

Once the ‘clean’ list with verified credentials is obtained, it is ready to be monetized - by selling it on the darknet or fueling account takeover attacks. This database obviously fetches more returns than the unclean dumps of stolen credentials. Furthermore, depending on the industry such as banking or eCommerce, the databases may garner higher values.

Account Takeover:

Fraudsters can choose to use the verified databases of valid username-password combinations themselves to power account takeover attacks instead of selling them off to third parties. They can also sell the compromised accounts separately or in bundles depending on what access, data or potential monetary value is attached to them. 

To ascertain the value associated with the accounts, fraudsters log in to the compromised accounts and check the potential value of the account, say in terms of personal information, credits, reward points, gift cards, registered credit cards, and so forth. The more information available about the account, the more marketable it will be, and the higher the revenue. For instance, unused loyalty points in a compromised travel account can be used to book travel or hotels. This also explains why bank accounts are more ‘pricey’ as not only is the process of harvesting user data complex, but the potential gains from a compromised financial services account are much higher.

Account takeover opens up a wide horizon of opportunities for a fraudster to exploit the compromised account. Draining funds in the account, redeeming loyalty points, and accessing other financial details is just the starting point. The compromised accounts can be used for money muling, money laundering, micro-deposit fraud, and other crimes that can have far-reaching social consequences. 

All Digital Accounts are Vulnerable to Credential Stuffing

The frequency with which incidents of data breach are spilling consumer information all over the web, all digital accounts are vulnerable to credential stuffing and subsequent account takeover attacks. 

With fraudsters having access to superior tools and techniques, it’s no longer a matter of ‘if’ but ‘when’ a business might become the next target. Therefore, to protect consumer accounts, digital businesses need a proactive approach that can efficiently protect user touchpoints, especially logins. 

Use Targeted Friction to Protect Logins

Arkose Labs redirects all incoming traffic to its network so the business network is protected from the onslaught of attackers. The Arkose Labs platform monitors the activity of all users before they can gain entry into a business network. Real-time risk assessment coupled with adaptive, step-up enforcement challenges enables using targeted friction to stop bad actors right at the entry gates while allowing genuine users to continue unhindered with their digital journeys. 

With a balanced use of device forensics, machine learning, gamification, and a continuous feedback loop between the risk assessment and enforcement mechanisms, Arkose Labs helps its partners protect users’ digital accounts in the long-term while maintaining superlative customer experience. Furthermore, with the introduction of its industry-first $1 million Credential Stuffing Warranty, Arkose Labs stands together with its partners with a 48-hour remediation SLA and the promise of efficient protection against credential stuffing attacks.

To learn how Arkose Labs can help you safeguard your business and consumer interests against credential stuffing and account takeover attacks, please book a demo now.