Credential stuffing: Bigger and badder than ever

News by Doug Olenick

Hackers are fully automated when it comes to the buying and selling of your details

Credential stuffing has been around since 2014 enticing cybercriminals with a hefty return on investment and usage has increased of late as even more payment account credentials are stolen and sold on the dark web.

Recorded Future just issued a report that looks at the economic environment surrounding credential stuffing and some of the tools and actors behind the activity to help explain its effectiveness and popularity. What has essentially happened over the last five years making it such a potentially disastrous situation for the victims is credential stuffing has moved from being a somewhat manual, peer-to-peer enterprise to one that is fully automated.

"In older models, buyers received their wares only after the seller manually approved the deal and delivered the purchased data. Moreover, sellers had to maintain the listings and communicate with the buyers personally. However, with the advent of automated shops, the need for manual engagement was eliminated and the business of compromised accounts fully transitioned from peer-to-peer dealings to a much more democratized, open-to-everyone enterprise," the report stated.

A higher level of automation also means more victims. The latest batch to hit the headlines was Chipotle customers who took to Twitter and Reddit to say their payment card information has been hacked and is being used to make fraudulent purchases at the Mexican food chain. Chipotle execs said its system has not been breached and the people were victims of credential stuffing.

From the criminals' point of view, the best change wrought by the system becoming automated was the drop in price for valid credentials due to millions of additional records going on the market which, in turn, prodded more malicious actors to move into the field.

"Although the competition quickly brought the average price of a single compromised account from over $10 down to a mere $1 to $2, the overall profitability of credential stuffing attacks increased significantly through sheer volume," the report said.

Besides automation, the other technological leap boosting credential stuffing was the advance in account-checking software tools that allowed a criminal to try and brute force accounts across several companies.

Recorded Future called out:

STORM – a tool offered for free, but accepting donations.
Black Bullet – first appeared on the dark web in early 2018 and likely was created by the actor Ruri. It only allows for single company attacks.
Price: Between £24 and £40

Private Keeper – developed by the actor deival909 and is by far the most popular account-checking software in the Russian-speaking underground.
Price: From 49 Russian rubles (approximately £0.64)
SNIPR – developed by the threat actor Pragma and supports both online credential stuffing and offline brute-forcing dictionary attacks.
Price: 316
Sentry MBA – with over 1,000 configuration files available, is one of the most prominent and readily available examples of account-checking software on the dark web.
Price: Between £4 and £16 per configuration file
WOXY – email checker allows criminals to verify the validity of email accounts, scan email content for valuable information (like gift card codes or online subscriptions to streaming services, travel websites, and financial institutions), and hijack valid accounts by resetting login passwords automatically.
Price: was £32, but recently shared and is now free.

This article was originally published on SC Media US.

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews

Interview - Everyone has an Achilles heel: The new security paradigm

How can we defend networks now that the perimeter has all but disappeared?
Brought to you in partnership with ExtraHop