One of the key advantages to migrating to the cloud is to attain scalability. The ability to deploy and retire digital assets in automated fashion is an important aspect of the digital transformation process. But scalability doesn’t just benefit the enterprise. It also benefits hackers and cybercriminals attempting to break into enterprises. Imagine how time consuming it would be to pick the lock of every locker in a high school building. It would be impractical to say the least. But what if all you had to do was crack one of them in order to gain potential access to all of them. What if you had a tool that could pick all of the locks simultaneously? In a matter of minutes, you could simply try any default or easy to remember number combination on each padlock until one worked. That is how credential stuffing attacks work today. They are highly scaled attacks designed to find the weakest link quickly and easily.
Why Credential Stuffing Attacks are so effective
Automated credential stuffing attacks carried out by large botnets give attackers near limitless scalability thanks to cloud sites that congregate millions of user accounts in a single space. Those organizations that utilize cloud based email services such as Office 365 perpetually experience large volumes of credential stuffing attacks. Criminal organizations deploy credential stuffing bots that continually pound away at your company email boxes, deploying common passwords until one hits. Once compromised, they can use that account to send convincing phishing or BEC attacks against other internal users. By targeting the path of least resistance, cybercriminals can beach your company network and move on from there without the need for human interaction.
But looking for easy prey on Office 365 is the tip of the ice berg. While gaining company wide access may be the end of a credential stuffing attack, the compromise of even a single user account today can bring something of value. That’s because most users choose an email address as their username for sites across the Internet. They then compound the problem by recycling passwords. Once a hacker guesses your logon for one site, chances they can utilize that credential set for another site such as your bank, social media site, media streaming application or online retail store. Conversely, attackers can target any of these sites in order to obtain your credentials.
Retail and Hospitality Sites are Top Targets
The reality today is that if an attacker can capture your logon credentials at your favorite online retailer, they can use those credentials to access other sites as well. Because the majority of consumers today make some percentage of their purchases online, ecommerce sites are a prime target. According to a recent report titled, Loyalty for Sale, over 60 percent of credential stuffing attacks detected over the past two years have been targeted at retail, travel and hospitality businesses. The company that compiled the report stated that between July 1 2018 and June 30 2020, over 64 billion out of a detected 100 billion credential stuffing attacks targeted open user accounts in the retail, travel and hospitality sectors. Though the numbers are staggering, it is nothing new. The retail industry was the #1 target for credential stuffing attacks the year prior as well. In 2018, a collection of 773 million unique email addresses and 22 million unique passwords was discovered. The credentials comprised more than 87 GB of data. Since the COVID crisis, cybercriminals have been recycling stored credential lists such as these to find newly active online accounts for retail sites.
Protecting Yourself from Credential Stuffing Attacks
One of the most effective ways to curb credential stuffing attacks is to use unique credentials for each site you access. Should one of your accounts be compromised, it cannot be used in quick succession on other sites you frequent. Users should also change their passwords regularly as stolen credentials are stored for years by criminals. In order to protect against compromised credentials, organizations need the right email security solution in order to foil attacks. An example is SpamTitan Cloud which gives organizations a highly scalable protection system to secure email attack avenues. SpamTitan was created to thwart zero-day attacks and counter the most advanced phishing techniques utilized today. It also uses next generation tools such as sandboxing and data leak prevention rules. With SpamTitan, you can scale your security in order to protect against the highly scalable cyberattacks of today.