Businesses are Losing Big to Credential Stuffing Attacks

This week it was revealed that a huge credential stuffing attack had cost sports betting organization DraftKings $300,000.

More specifically, cyber-crooks had used credential stuffing to gain access to many DraftKings customer accounts via a large-scale account takeover (ATO) attack and withdrawn funds. DraftKings has subsequently reimbursed the affected accounts, leaving the business out of pocket rather than its customers.

How does credential stuffing work?

In a statement on Twitter, DraftKings president Paul Liberman described the attack as a textbook credential stuffing incident: “We currently believe that the login information of these customers was compromised on other websites then used to access their DraftKings accounts where they used the same login information.”

This is exactly how every credential stuffing attack operates, as described in the BLADE Framework™, an open-source catalogue of business logic attack tactics and techniques. Credential stuffing is a simple attack to achieve, requiring minimal resources – a recent Netacea webinar, ‘Dissecting a Malicious Bot Attack’ , demonstrated in real time how stolen or leaked credential lists can be sourced for free from the open web with a simple Google search, and plugged into a freely available tool (such as OpenBullet) with minimal technical skill.

So, if credential stuffing is such a well-known and easy-to-launch attack, and so lucrative for attackers, why does it work so effectively?

How can businesses prevent credential stuffing attacks?

Promote good password hygiene

In his Twitter post, Liberman encouraged customers to “use unique passwords for DraftKings and all other sites”. This is in reference to why credential stuffing is so effective – If credentials are leaked from one site, and they have been reused on other sites, it’s only a matter of time before an attacker matches the two together. At that point, they have full access to the account and anything in it, including credit and personally identifiable information (PII).

Unfortunately, the password hygiene of its customers is out of the control of the businesses targeted by credential stuffing attacks.

2FA and multifactor authentication

Does 2FA and MFA (multifactor authentication) protect customers from credential stuffing attacks? While it's definitely an added barrier for cybercriminals, it's not necessarily bullet proof, as our friend and recent webinar guest, James McQuiggan of KnowBe4, told the Register: “When users have the same password for various accounts, cybercriminals will probably gain access to that account.”

James’s colleague Roger Grimes told us as much on the Cybersecurity Sessions podcast. “The reality is that for 90-95% of [MFA], I can bypass it as easy as if it was a password.”

Bot management

So, if organizations can’t force customers to have good password hygiene, and if MFA is not a bulletproof defense against credential stuffing account takeover attacks, what can they do to stop such incidents and protect both their customers and their profits?

One of the largest multinational telecommunications organizations in the UK, looking after over 15 million customer accounts, was also the target of credential stuffing and account takeover. Criminals were accessing accounts so they could sell bundled streaming service subscriptions on the dark web.

The telco company uses bot management to investigate every login request automatically and detect anomalous behavior using machine learning algorithms. If suspicious activity is detected, the login is prevented, and the offending bot is blocked from accessing the site. This mitigates an average of over 1,000 malicious login attempts per hour with a very low false positive rate.

It’s the same strategy used by a leading stock photography website, which prevents criminals from stealing customer credits from its accounts using advanced bot detection technology.

Protect your customers from credential stuffing and account takeover attacks

Credential stuffing is an easy and often profitable attack that can affect any business requiring its customers to log in. As password reuse is commonplace, and MFA can still be bypassed by determined attackers, it’s important that vulnerable businesses implement a strong and intelligent bot management solution.

Get started with Netacea today and we’ll show you how a POV engagement can quickly identify the bots attacking your website, mobile apps and API, so you don’t fall prey to a costly attack.