Back in March, a group of hackers going by the name “Turkish Crime Family,” threatened Apple to pay them $75,000. If Apple refused to pay, they would use a database of hundreds of millions of stolen user credentials to reset iPhones to factory settings. This would essentially wipe out everything on a users phone.
There seems to be some doubts about the legitimacy of this claim based on some inconsistencies. On March 21, the hacker group made an announcement on Twitter that it would clean 200 million Apple accounts, but later that day it jumped to 300 million, and then 559 million. Either way, it’s something that needs to be taken seriously.
It’s not likely that a giant like Apple would actually pay such a ransom. Data breach expert, Troy Hunt, of Apple, said he thinks there are only about 53,000 breached accounts and the majority of those are not vulnerable anymore.
Why is Credential Stuffing so serious?
The key thing to keep in mind here is the threat of Credential Stuffing, which we referenced in our previous article back in January – “Credential Stuffing Is No Joke, Especially After Last Year.”
Sure, if a hacker were to manually test 200 million username and password combinations, they would probably be in their grave (and/or hell) by the time they finished. However, with automation, this can be done in no time at all.
In a Credential Stuffing attack, a hacker can write an automatic script using 10,000 combinations at a time against a login page. Not only is this easy and simple for them to do, but it’s a nasty load against your infrastructure and API endpoints. Even though less than 1% of black market credentials work, if you have a list of 200 million, chances are good they’ll eventually crack. If they do get in, then you’re really up shit’s creek. If a hacker is launching this type of attack, there is usually something of high value to gain on the other side. They could steal PII, banking information, payment cardholder data, or just completely wipe an account clean like the iPhone threat.
It’s very easy for these hacker groups to get their hands on tools to run these attacks. A lot of them are just custom built, and/or tools such as SentryMBA already exist.
According to the Distil Networks 2017 Bad Bot Report, “96% of login pages and 82% of signup pages were hit with bad bots.” In addition, “90% of sites with login pages had bad bots traversing web pages behind those login pages like payment portals.”
How to protect against Credential Stuffing attacks
There are a variety of ways to protect against these types of attacks. For example, Facebook’s approach is to buy black market credentials and search them for their own customers. If they find any, they’ll notify those users of the breach.
Another approach is to analyze your security systems like log data, SIEM infrastructures, etc…and look for patterns in behavior so you can take actions in the future.
Two-factor authentication is another common approach and it’s being adopted by a lot of financial institutions. If the first layer is cracked with username and password, the second layer kicks in by sending a one-time use password to the user’s phone or alternate email. The issue with 2FA is it creates a poor user experience, particularly on websites where users are logging in frequently.
The best way to fend off Credential Stuffing attacks is to use a robust bot detection solution that analyzes and fingerprints each request to your website.
Leave a Reply