Inside credential stuffing: a quick guide for government

Job losses aren’t the only dark side of automation. Account takeovers powered by credential stuffing are fast becoming the new black for cyber attackers hitting government.

As a wave of cloud-powered automation sweeps across industry and government services, opportunistic miscreants around the world are learning how to harness the power of increasingly cheap machine learning to grind away at online security.

In days gone by a strong, randomised passcode used to be the first line of defence against so-called ‘brute force’ attacks used to crack open and take control of sensitive accounts.

And while they’re still an essential primary defence, the rules of network defence and attack countermeasures are again shifting very quickly.

That’s because of the increasingly cheap availability of unsecured consumer devices remotely hijacked and pressganged into roboticised miscreant machine armies: or ‘bots’.

The upshot is ‘credential stuffing’: the automated craft of stealing and linking keys to take over personal, workplace and commercial accounts. Make no mistake, it’s a growth industry.

Bots on the march

Those charged with safeguarding the internet and government networks have detected a disturbingly sharp escalation in precursor behaviour on networks that indicates credential targeting is in full swing.

The latest edition of the State of the Internet / Security report released by the worlds largest and most trusted cloud platform Akamai assessed that more than 40% of login attempts are now malicious or hostile.

“While analysing more than 7.3 trillion bot requests per month, we found a sharp increase in the threat of credential abuse,” the report said, also noting that distributed denial of service attacks (DDoS) have also remained a persistent threat with the now infamous Mirai botnet still capable of strong bursts of activity.

Here’s how it works…

As the Internet of Things (IoT) proliferates, everything from online movie boxes in the lounge room to routers and cheap home security systems are increasingly being hijacked to smartly grind away at interlinked security credentials.

Your washing machine sends you an alert to say that its done, or your bike computer tells you it needs a battery recharge. Let’s face it. Nobody with an active life has the time or forbearance to lock down rudimentary labour saving devices.

So as they proliferate exponentially, so do the number of interlinked compromised devices in the IoT ecosystem that can be used to smartly chip away at other identity credentials of higher value for a much bigger return.

We used to think of ‘brute forcing’ as a simplistic technique reliant on limited attack vectors for a relatively short timeframe. But what’s changed in that typology is that the distribution — across time, device and location — is no longer limited or immediately apparent.

The daily grind

Key web infrastructure guardians, like Akamai’s Director of Security Technology and Strategy, Patrick Sullivan are frank about where the automation juggernaut is headed in terms of personal credentials and the escalation of threats now occurring.

Put simply, the combined commoditisation of cloud and automation is quickly reducing the barrier of effort needed to bust open accounts by crooks, spies and miscreants. That’s the fuel for credential stuffing.

“Automation is a key part of almost every attacker’s toolkit these days,” Sullivan says.

By Akamai’s estimates, the proportion of roboticised traffic going to websites today is somewhere between 30% and 40% and creeping towards the halfway mark.

But here’s the kicker: bot traffic now directed at sensitive areas like log-ins and access control jump to around two thirds of requests from traffic.

“It’s coming from a bot as part of an attack. They’re trying to take over somebody’s account, Sullivan says. “We call that credential stuffing. It’s the first phase of an account takeover attack.”

There’s a real and hard cost too. According to the Ponemon Institute, credential stuffing attacks can cost businesses as much as US$2.7 million on an annual basis.

Stuffing: the golden goose

Cast your mind to the persistence of large (and small) data breaches that have now become endemic and it’s not difficult to appreciate how data “spilled” from compromises is quickly weaponised at a mass market scale.

“It could be a large mail provider, it could be a dating site, it really doesn’t matter, as long as there are credentials,” Sullivan observes. “They just retry those across logins that are exposed to the public Internet.”

Sullivan asserts that bots now just keep hitting log-in interfaces until something gives. Nothing really new there — but what’s changed is the distribution patterns used to evade detection.

Insecurity by numbers

In a similar technique to high frequency and algorithmic trading on legitimate markets, stabs at credential compromises are chopped up and sprayed from anywhere and everywhere to obfuscate their actual source.

It’s a numbers game and the agile mantra of ‘cheaper, better, faster’ doesn’t just apply to the good guys.

“They’ll get low single-digit percentage point success, but once that credential stuffing is successful, the attacker may outsource the monetisation phase to another group, or they may run that full account takeover attack themselves,” Sullivan says.

The typology looks like this.

On a typical day, Akamai monitors more than 2,750 bot requests per second, which accounts for more than 30% of all pure web traffic (excluding video streaming) across its platform. Of the 17 billion login requests tracked through the Akamai platform in November 2017 and December 2017, almost half (43%) were used for credential abuse.

So while most traffic is legitimate (for the time being) the botnets usually responsible for launching DDoS attacks are also being used to abuse stolen login credentials.

Martin McKeay, senior security advocate and senior editor of the State of the Internet / Security report says that “increased automation and data mining have caused a massive flood of bot traffic to impact websites and Internet services.”

In terms of scale and raw power it means hostile actors now manipulate the powerful volume of bots for nefarious gains, McKeay says.

“Enterprises need to watch who is accessing their sites to differentiate actual humans from both legitimate and malicious bots. Not all web traffic and not all bots are created equal.”

Neighbourhood threat

An established security parameter for government and industry to date has been internet protocol address or geo-blocking. Kiss goodbye to that.

Automation is now blended with crooked, if basic, machine learning. What’s powering that is not laptops and desktops and servers — but millions of el-cheapo, unsecured IoT devices open and ready to be unwitting slaves.

For example, security controls based on IP request rate and a location can now be fooled because miscreant access to IoT devices means an onshore attack can be constructed and executed from anywhere.

That has big operational and customer service implications.

Global intelligence, local response

“Just blocking on the IP’s that participate in these attacks carries a lot of risks,” Sullivan says. “That’s no longer a feasible solution, because you’re going to block valid users at the same time.”

Sullivan is candid in his assessment that there is no silver bullet or turnkey solution to the shifting security landscape. This said, he observes that any government agency involved with distribution or collection of money is in the same boat as banks or other higher value financial credentials.

And the more sensitive the data, the higher the premium, especially as digital government takes hold.

Good security intelligence has a price; the costs of insecurity are yet to be determined.

The Mandarin