Skip to main content
close search
site logo

Security experts overlook attacker-favored credential stuffing

With an endless cycle of breaches, hackers have a large pool of exposed credentials to throw at websites, increasing their probability of success.

Published Sept. 30, 2020
Samantha Schwartz's headshot
Samantha Schwartz Reporter
An illustration of cyber security, showing a padlock over a circuit board.
Getty

Credential stuffing is a stepping stone to more substantial cyberattacks with lagging repercussions that impact supply chain or inventory. As cybercriminals' financial motives grow, so does the scale of their attacks. 

"If a bunch of bots want to log into a bunch of accounts and do nothing else, that's not really a business problem," said Zane Lackey, co-founder and CISO at Signal Sciences and former director of Security Engineering at Etsy, while speaking at the virtual Forrester Security and Risk Global 2020 conference last week. Security professionals can take credential stuffing for granted; if the business doesn't act on the initial issue, greater calamity is inevitable. 

"That's the purpose of the bot" — to scale an attack to an infinite amount, said Russell Handorf, principal threat intelligence hacker at White Op and former computer scientist with the FBI, while speaking on the panel. 

Handorf showed attendees an automated credential stuffing attack where attackers pooled two types of information — one from public resources and the other from public credential leaks — to better their chances of intrusion. Because breaches happen every day, hackers have a constant pool of exposed data to use. From there, hackers leverage the exposed credentials and throw them at websites, testing the probability of success. 

Financially-motivated hackers and bot attacks are typically understood, but "it's really different to actually see that firsthand," said Lackey. 

During a cyberattack launched against Etsy, Lackey had a front-row seat to how a credential stuffing attack plays out. In one case, hackers were attempting to carry out an account takeover attack, which looked like the appetizer to a larger attack, because after logging in they made no further actions, said Lackey. 

While Lackey's security organization knew the hackers planned to sit idly in Etsy's systems, "we got to see this really interesting thing where the attacker had misconfigured their attack tool chain." The hacker's mistake meant Etsy could see "all of the output from not only the attack tools that they were running against us but for running against everyone." 

After the incident, Lackey learned he could follow where the hacker was successful on a site or service, and "that's where they went and doubled down," said Lackey. The hackers never really pursued targets with "mixed results" in terms of success, they stuck to the ones with guaranteed returns.

Advertisers be warned 

In attacks where hackers generate user accounts targeting a company's online and physical inventory for legitimate customers, "it hurts them physically at the end of the day, because they're not able to sell and move product," said Handorf. 

Hackers can use "the platform [they're] working against to move money out of some other platform," said Lackey. For example, hackers often abuse two-sided marketplaces for money laundering. With stolen payment information and an automated bot army, cybercriminals can attempt to buy fraudulent goods, and test the legitimacy of the payment information. 

The marketing industry is particularly susceptible to bots. If sudden spikes in sales or campaign traffic appear at the onset of its launch, the activity likely doesn't pass "the sniff test," said Joanna O'Connell, VP and principal analyst at Forrester, while speaking on the panel.

"Did I find the magical unicorn solution to advertising? Or is something problematic going on?" asked O'Connell. Bot disruption in advertising is equivalent to lost money. Security, a business practice often left outside of general business strategy, has to fight to find its way into the conversation. 

"If we're all being honest, and for any practitioners on the line here, the reality is the first time this happens, it always gets bundled up in the business after the fact," said Lackey. 

In the case of bots interfering with marketing campaigns, the first time security is usually included in a conversation is after a successful attack, said Lackey. That's the first time the security organization connects with "parts of the business that didn't realize they could really get attacked like this." 

The security organization can teach different business units to detect early indications of malicious activity. The "see something, say something" protocol of security is something that global organizations need to mandate throughout their offices, said Lackey. "The fire alarm is there for a reason. If there really is something on fire, and you pull it, you're not going to get yelled at." 

Bots attacking advertisers and marketing agencies is forcing the industry to be more technologically inclined. Brands are saying, "I want to go out and decide on my technology stack myself, I want to own the contract, I want to build in auditing rights, I want to have full transparency into fees," said O'Connell. All of these processes require brand safety and security.

Filed Under: Security

Editors' picks

Company Announcements

View all | Post a press release
New Research Reveals AI's Impact on IT's Power, Status, and Pay
From 1E
November 21, 2024
PointFive is Apparently the Hottest Cloud Startup, Here is Why
From Jordan Mitchell
November 21, 2024
Viz.ai Wins Prestigious Prix Galien USA Award for Best Digital Health Solution
From Viz.ai
November 12, 2024
Newgen and Fadata Join Forces to Optimize Insurance Content Management
From Newgen Software
November 13, 2024
Editors' picks
Latest in Security
image/svg+xml
Industry Dive is an Informa business
© 2024 Industry Dive. All rights reserved. | View our other publications | Privacy policy | Terms of use | Take down policy.
Cookie Preferences / Do Not Sell