FBI Warns: Credential Stuffing Attacks on the RiseStolen Credentials, Lack of MFA Leading to Millions in Banking Losses
The FBI is warning organizations in the financial sector about an increase in botnet-launched credential stuffing attacks. Many of these attacks, which target APIs, are being fed by billions of stolen credentials leaked over the last several years.
The FBI says 41% of all financial sector attacks between 2017 and 2020 were due to credential stuffing, resulting in the theft of millions of dollars.
The FBI Private Industry Notification says greater use of botnets enables cybercriminals and fraudsters to quickly hit many targets in search of finding credentials that work.
"Although most credential stuffing attacks have low success rates, cyber actors’ use of botnets to conduct a massive scale of automated login attempts in a short timeframe enabled them to discover multiple valid credential pairs," according to the FBI bulletin, which has been published online.
In July, security firm Digital Shadows reported that about 5 billion unique user credentials were circulating on darknet forums (see: 5 Billion Unique Credentials Circulating on Darknet).
The reuse of passwords and the lack of multifactor authentication pave the way for credential stuffing attacks.
"Credential stuffing has become quite easy to perform … and many financial institutions are losing small amounts across a broad base of customers," says Chris Pierson, CEO and founder of security firm BlackCloak
Many bank customers simply ignore advice to adopt MFA, leaving their accounts and the banks open to attack, Pierson says.
A study published in June by researchers at Carnegie Mellon University found that even after being notified that their data has been compromised in a breach, only about a third of users change their passwords (see: Study: Breach Victims Rarely Change Passwords).
"BlackCloak's cyber analysts … have found that 68% of all corporate executives it protects were using the same passwords, keeping passwords in little notebooks or on their phones/computers insecurely, and not informed on which passwords were compromised," Pierson says.
Brandon Hoffman, CISO at the cybersecurity firm Netenrich, says the easiest way to stop brute force attacks is by “placing controls in the application or network layer to detect them and block them. Usually, this comes in the form of a web application firewall, but it can also be as simple as limiting login attempts.”
In the majority of credential stuffing attack, cybercriminals or fraudsters obtain usernames and passwords that have been compromised through earlier breaches and then use botnets to try to match these credentials against existing bank accounts, the FBI notes.
"Credential stuffing, just like most parts of the cybercrime marketplace, can be consumed as a service. This means the malware to obtain credentials can be used as a service. The credentials can simply be bought and put into credential stuffing services that are consumed per use or based on attack parameters," Hoffman says.
Pierson adds: "The problem of credential stuffing has reached epidemic proportions. Cybercriminals no longer have to resort to phishing emails to get credentials. All they have to do is try a username, usually the email address they see on the dark web, and any exposed password they can find."