New tools automate cyber criminals’ attempts to take over corporate accounts

Stolen data, password reuse feed booming ‘credential stuffing’ by hackers

Share on FacebookShare on Google+Tweet about this on TwitterShare on LinkedInEmail this to someonePrint this page

Near­ly all of the largest orga­ni­za­tions through­out the world had their cre­den­tials exposed by cyber crim­i­nals last year, a new study has found.

The study, done by Lon­don- and San Fran­cis­co-based Dig­i­tal Shad­ows, which pro­vides clients with infor­ma­tion about their exter­nal dig­i­tal risks, deter­mined that 97 per­cent of the world’s largest 1,000 orga­ni­za­tions had cre­den­tials exposed.

Relat­ed pod­cast: How ‘busi­ness email com­pro­mis­es’ lever­age stolen credentials

The cre­den­tials are valu­able to cyber crim­i­nals who “are increas­ing­ly turn­ing to cre­den­tial stuff­ing tools,” Dig­i­tal Shad­ows offi­cials say, to auto­mate account takeover attempts.

How it works

Account takeover occurs when a mali­cious actor gains access to a user’s account by steal­ing user name/email and pass­word cre­den­tials, often through pass­word dumps, phish­ing or malware.

The most com­mon tar­gets, the study found, are orga­ni­za­tions in the gam­ing, tech­nol­o­gy, broad­cast­ing and retail indus­tries, but oth­er busi­ness­es are not immune.

Michael Mar­riott, Dig­i­tal Shad­ows research analyst

The most tar­get­ed sites—popular gam­ing, tech­nol­o­gy and media websites—were not a huge sur­prise,” says Michael Mar­riott, a research ana­lyst at Dig­i­tal Shad­ows. “Most sur­pris­ing was the inclu­sion of edu­ca­tion plat­forms, which demon­strates that low-lev­el cyber crim­i­nals are some­times after more than just online gam­ing accounts, retail­ers and free pizza.”

Dig­i­tal Shad­ows’ study, which found more than 30,000 report­ed instances of cre­den­tial expo­sure, found that Sen­tryM­BA is the most dis­cussed cre­den­tial-stuff­ing tool on crim­i­nal forums. It is praised for its abil­i­ty to defeat anti-fraud mea­sures like black­lists and CAPTCHA controls.

Sen­tryM­BA appears to be very effec­tive and has “devel­oped a strong ecosys­tem around it, with a sea of par­tic­i­pants will­ing to pro­vide con­fig­u­ra­tion files,” Mar­riott says. “Sen­tryM­BA low­ers the entry bar­ri­ers for account takeovers, mak­ing it very pop­u­lar with the less skilled cyber criminal.”

The price to buy cre­den­tials depends on “a range of fac­tors, includ­ing their fresh­ness and geog­ra­phy of accounts,” Mar­riott says. “High­er-tier cyber crim­i­nals will max­i­mize their activ­i­ties while the stolen cre­den­tials are new­ly exposed. Once they have com­plet­ed their cam­paigns, they will then sell them off.”

Crim­i­nals don’t have to spend much

Low­er-lev­el cyber crim­i­nals “will favor the cheap data­bas­es that have been on the mar­ket for a few years,” he says. “There are so many cre­den­tials pub­licly avail­able that most actors won’t need to spend a cent.”

The LinkedIn data­base was offered for sale last year “on a dark web mar­ket­place” for $2,280, Mar­riott says. But now it can be bought for as low as $4.

It’s a clas­sic case of sup­ply and demand,” he says. “With well over 3 bil­lion cre­den­tials pub­licly avail­able, it’s no sur­prise that the price will be pushed down.”

What new cre­den­tial-stuff­ing meth­ods might we see in the future?

As orga­ni­za­tions gain aware­ness of the risk of cre­den­tial stuff­ing, tools may look to incor­po­rate new ways to avoid detec­tion,” Mar­riott says. “You can expect to see the evo­lu­tion of obfus­ca­tion designed to hide the fact that cre­den­tial-stuff­ing tools are attempt­ing brute-force logins.”

Orga­ni­za­tions must take extra steps

Big com­pa­nies shouldn’t think that pre­vent­ing a cre­den­tial-stuff­ing attack is a sim­ple task.

When talk­ing about account takeover, the response often is: ‘It’s easy. Just imple­ment mul­ti­fac­tor authen­ti­ca­tion,’ ” Mar­riott says. “Well, it’s not that sim­ple. Imple­ment­ing MFA can cause a lot of fric­tion and is not a sil­ver bul­let. There are oth­er things large com­pa­nies can do. Deploy­ing an inline Web Appli­ca­tion Fire­wall, mon­i­tor­ing for users’ leaked cre­den­tials, and increas­ing user aware­ness are all sen­si­ble measures.”

Small­er orga­ni­za­tions can set up Google alerts for men­tions of their orga­ni­za­tions on mali­cious hack­er forums, Mar­riott says.

It’s an inex­pen­sive way of gain­ing an under­stand­ing of an organization’s expo­sure,” he says. “Oth­er free resources, such as, also give an idea when employ­ees or cus­tomers have cre­den­tials com­pro­mised in breaches.”

More sto­ries relat­ed to busi­ness compromises:
Study finds C-Suite over­con­fi­dent about net­work security
Pass­words becom­ing passé—and it can’t hap­pen soon enough
The cost of com­pro­mised cre­den­tials creeps up

Posted in Consumer Tips, Data Security, Featured Story, Fresh vulnerabilities