Like most of us, hackers would prefer to do as little work as possible, and all too often, we serve as their accomplices.
While some of those engaged in cyberattacks still wield virtual hacksaws and decode complex pathways, just about every cyberthief seeks the path of least resistance. Credential stuffing is one of the names that that path goes by.
Credential stuffing takes basic brute-force attacks to another — one might say more efficient — level. It replaces bluntness and random strings not with finesse but with what amounts to inside information. Think of credential stuffing as less like picking a single lock than gaining possession of the master key. In the wake of a breach, any breach, login credentials suddenly become currency, eligible for use on other servers.
That's problematic enough during normal times. During the COVID-19 pandemic, the challenges have only multiplied. Large-scale phishing campaigns and database dumps are happening at this writing. Risk factors are off the charts, given that more users are working remotely and, unfortunately, are having a tough time spotting phishing emails. That in turn leads to stolen credentials for services like Zoom and, thanks to password reuse, threatens to compromise other accounts and other applications. This also leads to the increasingly pervasive — and threatening — practice of business email compromise (BEC), where a single phished or dumped password can expose a user's full email history and enable the attacker even more access into that user's personal and professional life.
Back in the day, hackers maintained word lists — likely or conceivable passwords — to use against a system or an account. Hitting paydirt was a time-consuming process that paid uncertain dividends. With the profusion of legitimate passwords out and about in the real world — passwords associated with known accounts and usernames from online destinations such as Netflix, Facebook, Dropbox and legions more — credential stuffing effectively means game over for a huge number of users. And that wall that once separated business accounts (say, Wells Fargo) from personal accounts (say, Amazon Prime) has long since been, pardon the expression, breached. Password reuse has morphed into password abuse.
Here, as in so many other realms of cyber life, hackers got there first. They figured out the obvious: Ransacking a heavily trafficked site — a single service that yields access to thousands or millions of accounts — beats playing roulette with more obscure destinations. All of which is an irrefutable argument in favor of deploying unique passwords, at the very least.
There is, in fact, much more that individuals, acting as consumers and members of a given business community, can do. Requiring regular password changes and two-factor authentication can be effective at stopping these types of attacks, two-factor authentication especially.
That said, be aware that continuously compelling users to change passwords and having to remember so many different password combinationsmay have unintended consequences. Users may wind up creating a base password and simply changing the last few characters, which can lead to weak, and easily cracked, passwords. Enter the password manager, a popular solution but one that carries its own risks. A password manager effectively serves as a vault holding a trove of passwords, so take special care when selecting a password management solution. With two-factor authentication, even if the password is weak or leaked, the attacker isn't able to log in without having physical access to the user's phone or another device used to generate an OTP (one-time password). This is why most online services are scrambling to implement two-factor authentication or some other means of protecting potentially compromised accounts, such as artificial intelligence and machine learning.
If two-factor authentication is not possible, at the very least, mandate regular password changes. Doing so will make it more difficult to guess the correct password, given that leaked databases are not always fresh, and different sites will have different password change schedules, which, in turn, may effectively lead to randomized passwords. When using a password manager, it's also a good idea to use its security health-check feature, assuming one is available. Signing up an individual or an organization to an online list such as "have i been pwned" can help minimize risk after a leak from a password dump.It's yet another way to compel hackers to work that much harder to do mischief.
Register now for this year's fully virtual Black Hat USA, scheduled to take place August 1–6, and get more information about the event on the Black Hat website. Click for details on conference information and to register.