Search This Blog

Powered by Blogger.

Blog Archive

Labels

Showing posts with label Credential Stuffing Attacks. Show all posts

Watch out for Christmas 2021 Credential Stuffing Attacks!

 

As per Arkose Labs' research, there were over two billion credential stuffing attacks (2,831,028,247) in the last 12 months, with the number increasing exponentially between October 2020 to September 2021. 

This form of online fraud has increased by 98 percent over the previous year, and it is projected to spike during the Christmas shopping season. Credential stuffing attacks in 2021 accounted for 5% of all web traffic in the first half of 2021. 

Credential stuffing is the most recent cyber-attack technique used by online criminals to obtain unauthorized access to users' financial and personal accounts. Cybercriminals take control of real user accounts and monetize them in a variety of ways. These include draining money from compromised accounts, collecting and reselling personal information, selling databases of the known verified username and password combinations, and exploiting compromised accounts to launder money obtained from other illegal sources. People who reuse the same username/password combination across various sites are frequently targeted by cybercriminals. 

The anti-fraud community has highlighted credential stuffing as an increasing problem in recent years. However, due to the jump in internet activity in the pandemic and the growth of online purchasing, it has risen in recent months. Credential stuffing increased 56 percent during the Christmas and New Year shopping season last year, according to research analysts, with forecasts that the same period in 2021 will witness up to eight million attacks on consumers every day. 

The Arkose Labs network detected and blocked 285 million credential stuffing assaults in the first half of 2021, with spikes of up to 80 million in a single week. In just one week, one intensively targeted social media organization experienced 1.5 million credential stuffing attacks. 

Kevin Gosschalk, CEO at Arkose Labs stated, “The global e-commerce landscape is more connected than ever before and personal information has become the currency of fraudsters. Credential stuffing is prolific. It’s become an enormous concern to online businesses and is fast overtaking other well-known attack tactics, such as ransomware, as THE cyber attack to watch out for.” 

“Fraudsters are compelled to this type of cybercrime as the low barrier to entry makes it easy to deploy and online criminals can generate profits with just one successful compromised account. Their volumetric approach can come on abruptly, quickly overloading businesses’ servers and putting customers at risk.” 

Other key information 

According to the research team's newest findings, 
  • The top attacked industries by sector include gaming, digital and social media, and financial services. 
  • Credential stuffing assaults accounted for over half of all attacks aimed at the gaming industry. 
  • The United Kingdom was also named as one of the top three regions that carried out the most credential stuffing attacks against the rest of the world. 
  • Alongside, Asia and North America, both demonstrated massive amounts of fraudulent activity emanating from their respective regions.
  • During the first half of 2021, mobile-based attacks accounted for approximately one-quarter of all attacks.

Proxy Phantom Employs Automated Credential Stuffing Technique to Target Online Retailers

 

Cybersecurity researchers have exposed a massive fraud operation that targets e-commerce companies in account takeover attacks. 

Sift, a fraud prevention firm announced on Thursday that the hacker ring, dubbed Proxy Phantom, is employing over 1.5 million sets of stolen account credentials in automated credential stuffing assaults against online retailers.

Credential stuffing attacks usually depend on a large number of stolen or leaked credentials-username and password pairs-for one website and tests them on the login pages of other websites. The attacker’s motive is to secure unauthorized access to as many user accounts as possible and then carry out other assaults or fraudulent schemes. 

According to the estimation of Sift’s researchers, only 0.1% of credential stuffing assaults are successful. However, given the low success rate, you can attempt thousands of account combinations at the same time, these attacks can still be useful – particularly when employed against businesses or financial services.

Proxy Phantom "flooded businesses with bot-based login attempts to conduct as many as 2,691 login attempts per second,” as per Sift's Q3 2021 Digital Trust & Safety Index. Scammers also employed connected and rotating IP addresses to make the queries appear to stem from different geographical areas and primarily targeted e-commerce platforms and online services.

"As a result, targeted merchants using rules-based fraud prevention methods would be forced to play a supercharged, global game of "whack-a-mole," with new combinations of IP addresses and credentials (likely purchased in bulk on the dark web) coming for them at an unthinkable pace," Sift stated.

The study further reports that account takeover attacks identified by the company jumped by 307% over Q3. Specifically, the financial sector is a top target, including cryptocurrency exchanges and digital wallet services. 

Earlier this month, Netacea, a UK-based software firm released an index documenting the actions of scalper bots. These automated systems are manufactured to defeat online queues for high-ticket products like concert tickets and gaming consoles in order to resell and generate a profit for their operators.

 “Fraudsters will never stop adapting their techniques to overwhelm traditional fraud prevention, making suspicious logins look legitimate, and legitimate ones look suspicious. At the same time, poor consumer security habits—like reusing passwords for multiple accounts—make it easy and continue to breathe life into the fraud economy,” stated Jane Lee, trust and safety architect at Sift. 

“To proactively secure customer accounts and fuel expansion into new markets, merchants need to adopt a Digital Trust & Safety strategy to stop these advanced attacks before they shatter consumer loyalty and stifle growth,” she added.

FBI: Credential Stuffing Attacks on Grocery and Food Delivery Services


 




According to the FBI, hackers are hacking online accounts at grocery shops, restaurants, and food delivery services using credential stuffing attacks to empty customer cash through fake orders and obtain personal or financial details. 

The warning comes from the agency's Cyber Division, FBI Private Industry Notification issued last week to firms in the US food and agriculture fields. According to the agency, cybercriminal gangs are logging into customer accounts at grocery and food delivery services using username and password combinations stolen from other firms' breaches, in the hopes that customers have repeated credentials across accounts. 

Credential stuffing attacks use automated tools and proxy botnets to distribute the attacks across a wide range of IP addresses and obscure the attackers' location. Due to billions of user credentials being exposed online, credential stuffing attacks have become prevalent across a wide number of trade verticals over the last decade. Most supermarket, restaurant, and food delivery accounts include a reward points program and generally retain payment card information, as a result, cybercriminals have been concentrating their efforts on these accounts in the last year. 

Since July 2020, the FBI has received reports of multiple instances: 

“As of February 2021, identified US-based food company suffered a credential stuffing attack that affected 303 accounts through customers’ emails. The cyber actors used six of the compromised accounts to make purchases through the US-based company; however, the US-based company canceled and flagged one of the orders as fraudulent. The US-based company suffered a financial loss of $200,000 due to the fraudulent orders. 

In October 2020, customers of a restaurant chain reported orders fraudulently charged to their accounts as the result of a credential stuffing attack. The company reimbursed the customers for the fraudulent charges. Another restaurant chain experienced a credential stuffing attack in April 2019. Customers posted on social media that their payment cards had been used to pay for food orders placed at restaurants. 

In July 2020, customers' personal information of a grocery delivery company was being sold on the dark web. The information from approximately 280,000 accounts included names, partial credit card numbers, and order history. The company received customer complaints about fraudulent orders and believed the activity was the result of credential stuffing.” 

Furthermore, independent research from threat intelligence firm DarkOwl revealed an increase in the number of underground advertisements promising access to restaurant and food delivery accounts, a surge that appears to have occurred after the COVID-19 pandemic began in early 2020. 

As more people are confined at home and have to order meals online, the demand for food delivery accounts has increased as fraudsters try to dine at someone else's cost. According to the FBI, victim firms are typically unaware of any intrusions until customers report strange activity on their accounts, such as food orders for pick-ups that they did not place. 

FBI also states that in the majority of cases, thieves got access to individual accounts using basic tactics such as credential stuffing. The agency now demands businesses to enhance their security defenses against such assaults. They are also advising businesses to be on the lookout for signs of a credential stuffing attack and to develop a multi-layered mitigation strategy.

Signs of a credential stuffing attack include: 
-an unexpectedly high number of unsuccessful logins via the online account portal 
-a higher than usual lockout rate and/or a flow of customer calls regarding account lockouts and unauthorized changes 

Recommended Mitigations: 

• Inform customers and workers about the program, emphasizing the need to use different passwords for different accounts and change passwords regularly. 
• Advise consumers to keep an eye on their accounts for illegal access, changes, and unusual activity; usernames and passwords should be changed if the account is compromised or if fraud is suspected. 
• Set up Two-Factor or Multi-Factor Authentication while creating or upgrading an account. 
• Create corporate policies that require contacting the account's owner to verify any changes to the account's details. 
• Utilize anomaly detection tools to spot unexpected traffic spikes and unsuccessful login attempts. Consider using CAPTCHA to counter automated scripts or bots. 
• Develop policies for device fingerprinting and IP blacklisting. 
• Use both a PIN code and a password. 
• Keep an eye out for lists of leaked user IDs and passwords on the dark web, and run tests to see if current user accounts are vulnerable to credential stuffing attacks. 

Furthermore, owners of hacked accounts should be informed that if financial data was saved in their account and not secured, they may need to verify payment card balances. In addition to selling access to compromised accounts, DarkOwl reported last year that some hackers profited from selling or openly sharing step-by-step guidelines on how to execute return policy fraud. 

Although refund policy fraud may not pose a direct threat to end customers, food delivery firms should be cautious of these sorts of scams as well, even if the FBI has not issued a warning.

Banking Sector suffered more Credential Stuffing than DDoS Attacks


According to F5's cybersecurity agency's report published recently, the financial sector has been a victim of severe credential stuffing attacks than the DDoS attacks in the last three years. The statistics included attacks against the financial industry as a whole. It recorded attacks against the banks, credit unions, insurance companies, broker agencies, and other services like Saas (Software as a Service) and payment processors.


The report's conclusion rejects the common belief that the financial sectors suffer the most from DDoS attacks, as other prominent threat actors are emerging. Reports say that in recent times, brute force attacks, ATO (Account Takeover) attacks, credential stuffing attacks have done more considerable damage on the financial sectors than DDoS, from the year 2017-19.
The ATO attacks include:

  • Credential Stuffing- When the hackers try to attacks by using leaked usernames and passwords they find on websites. 
  • Brute Force Attacks- Hackers use very common or weak passwords from a list to carry out brute attacks. 
  • Password Spraying- Hackers use the same passwords but against many individuals. 
Similarities between Credential Stuffing and DDoS attacks 
According to F5's reports, the DDoS attacks surged in the year 2019, but these figures cant be entirely accurate. Some credential-stuffing and brute force attacks are so fast and destructive that they are sometimes mistaken for DDoS attacks. The reason for the rapid rise of credential stuffing and brute force attacks is because the availability of leaked usernames and passwords is getting shorter and shorter. Due to scarcity in leaked passwords, the hackers are trying to get as much as they can from the attacks, hence the increase. 

Banks in North America a bigger target
According to the experts, North American banks have witnessed the highest number of brute force and credential stuffing attacks because of the availability of leaked passwords and credentials of the North American users on the websites since the last decade. "The combination of a global rise in DoS attacks and an increasing focus in North America on credential-based attacks suggests some ambivalence among attackers regarding the best strategies for extracting value from financial services targets," concludes F5 in its report.

No environment is immune to cyber attacks : Research

Global cyber-security solutions provider Check Point Software Technologies Ltd, released its “Cyber Attack Trends: 2019 Mid-Year Report”, revealing that no environment is immune to cyber-attacks.

Threat actors continue to develop new tool sets and techniques, targeting corporate assets stored on cloud infrastructure, individuals’ mobile devices, trusted third-party supplier applications and even popular mail platforms:

Mobile banking: With over 50% increase in attacks when compared to 2018, banking malware has evolved to become a very common mobile threat. Today, banking malware is capable of stealing payment data, credentials and funds from victims’ bank accounts, and new versions of these malware are ready for massive distribution by anyone that’s willing to pay.

Software supply chain attacks: Threat actors are extending their attack vectors such as focusing on the supply chain. In software supply chain attacks, the threat actor typically instils a malicious code into legitimate software, by modifying and infecting one of the building blocks the software relies upon.

Email: Email scammers have started to employ various evasion techniques designed to bypass security solutions and anti-spam filters such as encoded emails, images of the message embedded in the email body, as well as complex underlying code which mixes plain text letters with HTML characters. Additional methods allowing scammers to remain under the radar of Anti-Spam filters and reaching targets’ inbox include social engineering techniques, as well as varying and personalizing email content.

Cloud: The growing popularity of public cloud environments has led to an increase in cyber-attacks targeting enormous resources and sensitive data residing within these platforms. The lack of security practices such as misconfiguration and poor management of the cloud resources, remains the most prominent threat to the cloud ecosystem in 2019, subjecting cloud assets to a wide array of attacks.

“Be it cloud, mobile or email, no environment is immune to cyber attacks. In addition, threats such as targeted Ransomware attacks, DNS attacks and Cryptominers will continue to be relevant in 2019, and security experts need to stay attuned to the latest threats and attack methods to provide their organizations with the best level of protection,” said Maya Horowitz, Director, Threat Intelligence & Research, Products at Check Point.

42 Million Emails And Passwords Uploaded To A Free, Public Hosting Service

 

A database comprising of a collection of a total number of 42 million records was uploaded on an anonymous file hosting service kayo.moe. recently. The collection included unique email addresses and plain text passwords alongside partial credit card data.

Troy Hunt, Australian security researcher and creator of the Have I Been Pwned data breach index site, was requested to analyze and check whether it was the aftereffect of an obscure data breach. He could determine that more than 91% of the passwords in the dataset were at that point already accessible in the Have I Been Pwned collection and that the filenames in the said collection don't point to a specific source in light of the fact that there is no single example for the breaches they showed up in.

In light of the format of the data, the list are in all probability expected for credential stuffing attacks, which consolidate into a single list cracked passwords and email addresses and run them consequently against different online services to hijack the user accounts that match them.

Sample of data from lists sent to Hunt

The reason for the utilization of the credential stuffing attacks lies behind the fact that these attacks, while exploiting the users, for convenience are probably going to reuse those credentials on various other sites.

"When I pulled the email addresses out of the file, I found almost 42M unique values. I took a sample set and found about 89% of them were already in HIBP which meant there was a significant amount of data I've never seen before.” Hunter wrote on a blog post.

The database contained an overall of 755 documents totalling 1.8GB.

Users are constantly encouraged though to utilize solid as well as diverse passwords for various accounts. Continuously empower multifaceted validation.