How to protect against growing credential stuffing attacks

Security Fridays Week 22 – Basic rules for reducing individual exposure to attack online.

As remote work becomes even more available to us under Covid-19 work programs, we find ourselves depending on many SaaS providers – more than ever before. Everything from conferencing apps to cloud storage, online banking and many more. Things that we used to do in-person has suddenly shifted. This now includes most of our favorite restaurants and eateries and you can see from this most recent breach.

As users of this new SaaS world, we rely heavily on the provider of these services to make sure we’re safe and because we’re humans we don’t like to do more work when doing less seems to get the job done. This is a classic case of credential stuffing, a technique that’s been around for ages and is still a leader in cyber-security breaches. There was a time when hackers (like graffiti artists) did it for the fame in closed circles of peers, but that’s no longer as much of the case as it once was. Remember what I’ve said in the past; there are different types of hackers, but generally there are two reasons; money and money. They will either breach the company to steal documents or lists that they can sell, or they will breach you personally to gain access to your accounts.

The credentials stuffing below amounts to nothing but a bit of mischief for some teen-aged kids, but this exposes something that you may have missed. Here’s what’s really happening;

The creation of more and more online point of sale solutions

“Reports in UK media revealed that multiple customers of the peri-peri chicken chain have had their accounts compromised. Due to COVID-19 restrictions, customers must now scan a QR code in store and order online to get their food.” New point of sale solutions have been popping up all over, forcing customers that may have paid in cash or card to now create online accounts. The sheer number of these accounts is staggering. Take me for example, as of the time of this writing, I currently have a whopping 149 active online accounts from everywhere I normally do business. Utility bills, social media, banking, education, healthcare and more.

People using the same email and password across multiple SaaS accounts, like Facebook, Twitter, Microsoft Office 365 and more.

“However, that has left the door open to attackers trying previously breached log-ins from other sites to hijack their accounts, when those credentials are reused by the victims.” As I’ve noted in several previous articles, credential stuffing is the process in which an attacker gets possession of a list of credentials from one breach and figures the credentials could be the same for other sites. For example, your facebook.com and twitter.com passwords are probably the same. Even if the list is older, say a year old – it’s still likely that the vast majority of the people on the list have never changed their passwords.

The risk to reward is quite high for most as well. Writing a short script to read from a spreadsheet and insert credentials to a web page checking for ones that work is pretty widely available. In this case, the attack was limited to some spicy chicken, thank goodness.

Here’s what you didn’t see

The attack was executed so poorly, that they failed to even hide their identity. It’s a rookie mistake and indicates the immaturity of the youths. How in the world did a set of teen aged kids get their hands on a credential dump list and where did they learn how to stuff credentials. It’s an indication that the tools and things are being circulated in much less technical circles and we’re now exposed to a much broader set of potential attackers.

Here are some basic rules for reducing your exposure to attack

While no solution is 100% fool-proof, there are things we can do to reduce our individual attack footprint. Most of this revolves around personal care for credentials. Follow some of these basic rules wherever possible;

• Try not to use the same password for every account, if you can. It’s hard, use an identity management platform or password manager if you need to. There are many to choose from.
• Respond to breach notifications with caution. Part of the attack pattern is for hackers is to send emails indicating that you’ve been hacked, prompting you to change your password when in fact, you have not been breached and you’re not really changing your password – you just gave it to them.
• If a SaaS provider you work with does in fact have a confirmed breach and you are notified, respond by double checking and then reset your credentials.
• Make sure to follow the basic guidelines and change your passwords a couple of times a year.
• Examine and report any irregularities immediately to your service provider.

Following those basic rules will put you in the best position. Awareness is sometimes key to making sure you are safe.

Read the article that was analysed here: https://www.infosecurity-magazine.com/news/nandos-customers-hit-credential/

Category: Industry News

2FA / Customer Experience / Data Security Awareness / MFA

Michael Urgero, Pre-Sales Consultant

Senior subject matter expert with almost 30 years in the field. Deep knowledge in the areas of networking, security and data centre transformation. A respected leader and trusted advisor from bench-tech to boardroom.