Credential Spills Fuel Account Takeover Threats
"Credential stuffing attacks burden an IT, security, fraud and customer service department in different ways."
“Criminals harvest credentials from data breaches and then test them on every website and mobile app imaginable. A small subset of those credentials unlocks accounts because most consumers reuse passwords across multiple sites,” the report revealed. Criminals then tap those for different types of fraud from unauthorized bank transfers to illicit purchases.
In 2017, 51 different organizations had more than 2.3 billion credentials compromised according to the Credential Spill Report, which dove into how criminals stole, weaponized and turned compromised data into profits.
“The number and frequency of spills has remained remarkably consistent over two years,” the report noted. In 2016, there were 52 reported spills; in 2017, there were 51. While the number of spills reported remained consistent, the size of spills reported was smaller in 2017. The median spill size in 2016 was 2.8 million while it was just under 1 million in 2017.
While web forums were the most frequent targets, the report disclosed the organizations criminals source credentials from are very different from the ones that they use those credentials against. Attackers mainly source credentials from the easiest targets and then weaponize them against the highest-value targets, such as financial, retail, travel, and telecom companies.
Shape Security acknowledged the longer the period between a credential spill and its discovery, the more time criminals can stealthily use those credentials. Roughly two-thirds of organizations reporting spills in 2017 traced back the compromise original date. Half of all credential spills’ discovery and reporting came within the first four months of the compromise. It took on average of 15 months to discover a credential spill and report it.
In total, Shape observed attackers targeted 363,000 bank accounts, or about 4,000 accounts per day. The firm also noticed five separate attack groups performing credential stuffing attacks on one Top 5 U.S. bank’s mobile app over the course of two weeks.
The most prominent industries targeted by credential stuffing attacks: airline (60%), consumer banking (58%), hotel (44%), and retail (91%). However, online banking applications are the most lucrative target for cybercriminals with the median U.S. savings or checking account holding n $3,000-$5,000.
Because banks are such attractive targets, Shape observed attackers taking extreme measures to bypass banks’ application defenses, the report added. These methods include exploitation of aggregators, which Shape observed is not as heavily scrutinized; and circumventing banking security by targeting cell phone carriers’ login apps.
Shape identified several methods attackers can monetize a taken over financial account:
- Harvesting personally identifiable information. This information has market value and is aggregable into fullz (fraudster term for a ‘full identity’). The market value of a single fullz record is between $30-$100.
- Buying goods and services. The most commonly purchased items are high-value, portable, and easy to sell, such as smartphones, gift cards and luxury watches.
- Transfering cash. To avoid detection, credential stuffing attackers employ various tactics, including utilizing digital currencies, and peer-to-peer payment apps, which usually only need a phone number or an email address to send cash and allow attackers to use multiple accounts and shield their identity and the stolen cash’s destination.
- Get credit. The fraudster will use the stolen PII in conjunction with other compromised information available to apply for credit from another financial institution so as not to draw unnecessary attention to the fraudster’s credit application.
Shape Security suggested two main obstacles to conquering credential stuffing. First, at an organizational level. “Credential stuffing attacks burden an IT, security, fraud, and customer service department in different ways. When something is everybody’s problem, it’s no one’s problem.” Second, at an industry level, the proposed solution to credential stuffing is to augment or replace passwords with a different authentication system, such as 2FA. However, companies hate introducing additional customer experience friction. Besides, many motivated attackers already bypass those systems.
Shape Security said it protects more than 1.6 billion online accounts from credential stuffing. Its network represents several U.S. industries, including 60% of airlines, 40% of hotels, and 40% of consumer banking.