Credential stuffing is the threat to your business you can't afford to ignore

Credential stuffing is the threat to your business you can't afford to ignore

Ever wonder what it takes to get started in cybercrime? The answer may surprise you.

Credential stuffing is a low-effort cybercrime gambit that offers big payoffs, such as bank account access, tax return information, or the ability to impersonate a high-powered executive. Because people frequently use the same usernames and passwords, cybercriminals can use stolen account credentials from one website to gain access to other websites and apps. 

How credential stuffing attacks work

Billions of active usernames and passwords are available for purchase on the dark web, many for as little as $3.25 each. Online payment logins such as PayPal cost anywhere from $20 to $200, and some come with a money back guarantee.

After acquiring a list of credentials, the cybercriminal purchases one of half a dozen software apps (average cost $50) that automate login attempts via remote websites. These services may include CAPTCHA bypass and proxies. Experts estimate the cost to get started in the credential stuffing game can be as low as $550.

Botnets do most of the work in a credential stuffing attack, allowing a hacker to simply push a button and wait until the system finds a winning combination. Some bots can target up to 120 websites at once. Credential stuffing attacks are typically "low and slow" to avoid triggering security, but they can be high-volume, similar to a DDoS attack.

Credential stuffing damages your brand reputation

Credential stuffing attacks damage your company’s reputation and can create financial losses due to:

  • Fraudulent purchases and their subsequent resale 
  • GDPR fines and reparations
  • Account takeover and BEC scams

Any company with an authentication process is at risk. Even if your data is secure, your own customers could put you at risk by using the same login credentials across many different sites.

Earlier this year, cybercriminals used stolen credentials to access TurboTax user accounts. Even though the attack utilized data stolen from other companies, it was TurboTax that ended up suffering the consequences in the press.

The truth about formjackingRelated Blog

Many companies resist heightened security measures due to its impact on usability and web experiences. Browser checking controls are time-consuming and frustrate web visitors, yet 30 percent of companies cannot detect or mitigate credential stuffing attacks — leaving their customers exposed and their business liable for an attack.

Relying on bandwidth to throttle credential stuffing attacks offers no protection, and out-of-the-box security without customization is like using a Linksys router with the default password. The best way to protect your data and your users is with a sophisticated bot management solution.

How to protect your company from credential stuffing attacks

To protect your company and your customers against credential stuffing and other common attacks, you need more than a single traditional security solution, such as a web application firewall (WAF), between the visitor (real or bot) and your digital property. Stay one step ahead of cybercriminals with modern bot management service. Here’s what to look for:

  • Browser validation. Leverage intelligence to differentiate humans from even the most sophisticated bots. Instart Bot Management analyzes low-level signals from both the client and server to validate browsers. When an automated environment is detected, Instart prevents this “visitor” from accessing your login or sign-in pages.
  • User validation. Credential stuffing attacks typically display inconsistent user inputs like mouse movements or touch events. Instart collects user interaction intelligence that makes it easy to differentiate real users from sophisticated bots and blocks or rate limits bot traffic accordingly.
  • Bot attack response workflow. Credential Stuffing attacks will often target website login forms directly, rather than following human browsing paths like a real user would. Instart analyzes the path a requester takes to the login form to detect fraudulent behavior.  
  • Unified threat intelligence.  Reduce false positives and confidently block sophisticated bot attacks using data that is collected from all of the Instart security services, third-party feeds, and a network of honeypots. 

Instart Bot Management prevents credential stuffing and other common bot attacksRequest a demo

For less than $600, an inexperienced cybercriminal could start using those logins to make fraudulent purchases, impersonate an employee, or create an embarrassing situation for your company. And with more than 1 million logins exfiltrated every day, including credentials your customers may have used on other websites — this is a threat your business can’t afford to ignore.

Protecting your website from automated bot attacks like credential stuffing is only getting harder. Every online customer touchpoint is under attack by automated bots — disrupting traffic, stealing sensitive information, and ruining web experiences.

The true impact of bad botsRelated Infographic