The Anatomy of Highly Profitable Credential Stuffing Attacks
A new elaborate report by Recorded Feature takes a deep dive into the world of credential stuffing. In a credential stuffing attack, a threat actor uses leaked or stolen login credentials for user accounts of one service, to try to gain access to accounts for another service, based on the knowledge that many people reuse passwords for multiple accounts. This tactic has been used since at least 2014, but detailed analyses of how criminals set up these campaigns are rare.
The new research indicates that in order to carry out a successful credential stuffing campaign, threat actors generally need a database of stolen credentials, account-checking tools to automate login attempts, and a data base of proxies, i.e. servers that act as intermediaries for web traffic coming from and going to threat actors, allowing them to prevent targeted websites from thwarting the attack by blocking their IP address.
The researchers note that everything on the shopping lists of a credential stuffing actor can easily be purchased on dark web marketplaces. Credential stuffing campaigns that involve automation are simple to carry out and highly lucrative, because “for every one million random combinations of emails and passwords, attackers can potentially compromise between 10,000 and 30,000 accounts. Moreover, the same database could then be reused over and over again to hack dozens of different websites, yielding even higher profits.” If threat actors spend just $550 on the needed tools, they “could expect to earn at least 20 times the profit on the sale of compromised login credentials.”