Tue | Sep 15, 2020 | 2:01 PM PDT

In the last three years, there has been a significant increase in credential stuffing attacks. These attacks correlate with an increase in leaked login credentials available on the Dark Web, estimated to be in the billions.

The FBI is tracking many reports that indicate the use of botnet credential stuffing.

This attack vector is known to have a low success rate, but when used at a massive scale, it enables cybercriminals to discover valid login credential pairs.

Credential stuffing attacks lead to millions in damage

Here is an example of a recent credential stuffing attack investigated by the FBI.

A mid-sized financial institution reported its online banking platform received a "constant barrage" of login attempts using a variety of credential pairs, indicating that the attack was using bots.  

"Between January and August 2020, unidentified actors used aggregation software to link actor-controlled accounts to client
accounts belonging to the same institution, resulting in more than $3.5 million in fraudulent check withdrawals and ACH transfers. However, reporting does not indicate whether the increased logins and fraudulent transactions could be attributed to the same actor(s)."

And this is just one recent example of this type of cyber attack.

Financial industry targeted the most by credential stuffing attacks

From 2017 to 2019, the FBI says credential stuffing attacks were the most common type of attack against the financial sector, accounting for 41% of total incidents.  

From May to September of last year, 75% of those attacks targeted APIs.  

Here are two more examples cited in the recent FBI Private Industry Notification:

"Between June 2019 and January 2020, a NY-based investment firm and an international money transfer platform experienced credential stuffing attacks against their mobile APIs, according to a credible financial source. Although neither entity reported any fraud, one of the attacks resulted in an extended system outage that prevented the
collection of nearly $2 million in revenue.

"Between June and November 2019, a small group of cyber criminals targeted a financial services institution and three of its clients, resulting in the compromise of more than 4,000 online banking accounts, according to a credible financial source. The cyber
criminals then used bill payment services to submit fraudulent payments—about $40,000 in total—to themselves, which they then wired to foreign banking accounts. According to a 2020 case study on one of the firms, security researchers identified more than 1,500 email addresses and 6,000 passwords exposed in more than 80 data
breaches. Some of the credentials belonged to company leadership, system administrators, and other employees with privileged access."

Detecting credential stuffing attacks

Credential stuffing attacks and DDoS attacks account for the majority of all cybersecurity incidents in the financial sector, but it is important to be able to tell the two apart. 

The purpose of a DDoS attack is to crash a system by flooding it with more traffic than it is designed to handle, whereas a credential stuffing attack's goal is to gain access to the system by using a high volume of login attempts. 

The FBI has listed two indicators specific to a credential stuffing attack.

  • An unusually high number of failed logins, possibly in the millions, from a diverse range of IP addresses via the online account portal;
  • A higher than usual lockout rate and/or an influx of customer calls regarding account lockouts.
8 steps to mitigate credential stuffing attacks

The FBI recommends several ways to mitigate the threat of a credential stuffing attack:

1.  "Alert customers and employees to this scheme and actively monitor accounts for unauthorized access, modification, and anomalous activities."

2.  "Advise customers and employees to use unique passwords they are not using for any other accounts and to change their passwords regularly."

3.  "Direct customers to change their usernames and passwords upon identification of account compromise or fraud."

4.  "Validate customer credential pairs against databases of known leaked usernames/passwords."

5.  "Modify Internet banking login page responses to remove indicators that reveal the validity of credential pairs by issuing the same error message and response time when both username and password are incorrect or only the password is incorrect."

6.  "Establish company policies to contact the owner of an account to verify any changes to existing account information."

7.  "Establish MFA for creating and updating account information, especially for bank, insurance, and trading accounts, as well as for providing initial account access to financial aggregator services."

8.  "Use anomaly detection tools that identify an unusual increase in traffic and failed authentication attempts."

The FBI says these mitigation techniques will be most successful when used in combination with each other.

Read: FBI Private Industry Notification