Online Retail Threats

Credential Stuffing

Automated attacks

Online credentials have been stolen and compromised for almost as long as the Internet has existed. But in the past decade, the frequency of credential theft has increased and the tools and techniques used by cybercriminals have evolved.

Today, usernames and passwords act as keys to online services that are vital to many aspects of people's lives such as their retail, banking, travel, and insurance accounts. And yet, those accounts are less secure than they have ever been, due to the scale and scope of data breaches on unrelated sites.

Theft of user credentials has ramped up significantly for a number of reasons. First, users are reusing the same usernames and passwords across multiple sites. Second, automated tools can take stolen credentials and test them on other sites at a massive scale. And third - and perhaps most important - many customers have high value assets, from PII to loyalty points to stored credit cards and gift cards, that are extremely lucrative targets for cyberattacks.

Credential stuffing, first recognized in 2011, is now the single largest source of account takeover and automated fraud on most online services. It’s the large scale, automated testing of stolen usernames and passwords against a range of online sites. What’s particularly challenging is that this threat doesn’t exploit an accidental vulnerability in an application. Instead, it exploits intended functionality - the login form where anyone could enter the right credentials to access an account, its data and privileges. The other challenge is that your site may not have been compromised, but usernames and passwords stolen from another site are now being tested on your site to gain access. This means that there isn’t a simple “defect” to fix, or patch to issue. Instead, the defense of a login application against automation and the exploitation of spilled credentials is a much more difficult and complex challenge, extending into user behavior (password reuse) and poor security practices at third party sites.

But first, the credential spill

A credential spill occurs when user credential data, like usernames and passwords, are stolen from an organization or its users. “Spill” refers to the fact that stolen credentials do not just affect the company which was originally hacked or breached, but are now available for use in attacking any other website or mobile application.

The problem was with other websites. Our customers reuse the same passwords across multiple sites. When other sites get breached, fraudsters use those spilled credentials to hijack my customers’ accounts.

Account checkers: Cybercriminals engaged in mass-compromise of accounts, such as those who sell accounts on the Slilpp marketplace, likely employ customized multi-site account checkers that are constantly updated to circumvent new defenses put in place by target organizations. Account checkers run leaked credentials against online customer accounts. In some cases, we identified a spike in the number of a specific organization’s accounts available for sale by individual sellers, then a temporary lull in the number of accounts added, followed by another spike of the same accounts from the same seller. This suggests that as retailers may modify or enhance their customer account security, criminals using account checkers experience temporary lulls in inventory as they update their tools to circumvent the new defensive measures.

Note that the industries targeted for credential spills, such as gaming, are often different than the industries then targeted with the stolen credentials. Retail is a popular target.

Why retail is a popular target

Credential stuffing against retail web properties is especially lucrative, for a number of reasons.

of login traffic on many of the largest retail websites is automated

First, retail websites are designed to cause as little friction for customers as possible so security is often sacrificed for user experience. For example, in a crime-free world retailers would prefer to dispense with CAPTCHAs, two-factor authentication, and excessive emails or texts confirming every change to an account. In fact, many retail sites keep users logged in to make “continue shopping” even easier. In contrast, financial services providers, for ex-ample, never allow this to happen, automatically logging a user off after 10-15 minutes of inactivity.

Second, attacking retail websites can also be lucra-tive because there are typically more opportunities to monetize illicit account access than with any other vertical. Attackers can steal personal data, exploit saved credit cards and gift cards, or sell the whole account on the Dark Web for use by criminal organizations. Automated attacks against retailers can also facilitate more traditional offline fraud such as return fraud or the theft of goods.

How to spot a Credential Stuffing attack

Most retailers have no visibility into, or even awareness of, the volume of automated login traffic they are experiencing from credential stuffing attacks.

As we said, credential stuffing attacks appear as legitimate requests to the security controls in place on most applications. Since real user credentials are being used, these types of attacks do not need to use brute force techniques to attempt to guess passwords. Instead, they just need to “behave” the way a legitimate user would, providing their own credentials. So when the process is fully automated, credential stuffing attacks can achieve incredible scale and efficiency.

What a detection solution will see is that a vast majority of traffic is actually automated, coming from cybercriminals testing stolen credentials rather than from the site’s legitimate users accessing their accounts in a manual fashion.

Read Complete Report
View Complete Report (PDF)
  • Credential stuffing is now responsible for more than 99% of all retail account takeovers (ATOs).
  • Shape observes over 90% of login requests on many of the world’s largest web and mobile applications coming from credential stuffing.
  • Shape observes typical success rates of 0.1% to 2% when stolen credentials from one site are used by cybercriminals to log into and take over accounts on other sites.
  • Shape regularly detects Sentry MBA in particular being used for attacks against nearly every customer in every industry.

Stay Informed

Get all the latest news about Shape Security directly sent to your inbox.

Register Now