In this recent massive breach, hackers managed to steal email ids, passwords, birthdates and telephone numbers of half a billion users. Just a week before Yahoo confirmed the data breach, we published a detailed article on automated attacks explaining how hackers no longer only look for bugs or misconfigurations but also the ability to misuse valid functionality of the application to breach your network. Verizon DBIR of 2015 states “Pulling back from a single industry view, we find that most of the attacks make use of stolen credentials, which is a story we’ve been telling since 1 A.D. Over 95% of these incidents (web app attacks) involve harvesting credentials from customer devices, then logging into web applications with them.”
Credential stuffing is one of the simplest ways of exploiting application functionality. Hackers can easily purchase stolen credential lists and use them for automated attacks like credential stuffing.
According to OWASP, credential stuffing is the automated injection of breached username/password pairs in order to fraudulently gain access to user accounts.
This is a subset of the brute force attack category where large numbers of credentials are automatically entered into websites until they are potentially matched to an existing account, which the attacker can use to hijack the account.
With tools such as Sentry MBA readily available to hackers, credential stuffing is one of the most popular attack vectors used by hackers given its simplicity. It automates the process of testing millions of username/password combinations to see which ones work.
Source- 1 OWASP ‘Automated Threat Handbook’ Web Applications
People often reuse credentials for their email, banking, social media, and online shopping accounts. In fact, according to a survey conducted on 2,000 consumers in the U.S. and the U.K by mobile identity company TeleSign, nearly 3 out of 4 consumers use duplicate passwords, many of which have not been changed for five years or more.
If a hacker has access to 500 million Yahoo credentials, that individual can configure an automated tool like Sentry MBA to run this set of credentials on your web applications. With every successful attempt, he puts your brand in jeopardy and your customers’ personally identifiable information at risk. Even if the match rate is only 1- 2%, the data breach could affect thousands of your customers.
For example, in 2012, Yahoo Voices was the target of a similar data breach that exposed email addresses and passwords of 453,491 users. Surprisingly, just one year prior, Sony user accounts were also breached. The data breach analysis (conducted by Microsoft MVP Troy Hunt) showed that 59% of Yahoo users were using the identical password in their Sony accounts.
While hackers can target any business with such automated attacks, they tend to gravitate towards small and mid-sized enterprises (as reported in the Verizon report) for lower resistance due to the following weaknesses:
According to the OWASP ‘Automated Threat Handbook’, application owners can identify such attacks with the following symptoms.
Organizations looking for a holistic approach to application security need to consider identifying vulnerabilities in web applications as well as the risks associated with the most sought after attack vector– automated attacks.
Indusface AppTrana helps businesses detect, protect and monitor such application-layer threats including automated attacks. Offered as a service, it provides full management of the operation using subject matter experts at a fraction of the cost of hiring an in house team. It includes:
Founder & Chief Marketing Officer, Indusface
Venky has played multiple roles within Indusface for the past 6 years. He was instrumental in building the product/service and technology team from scratch and grew it from ideation to getting initial customers with a proven/validated business model poised for scale. He has proven experience (10+ years) in the security industry and has held various mgmt/leadership roles in Product Development, Professional Services, and Sales during his time at Entrust Data card.