Credential stuffing tools help hackers break into accounts
With thousands of stolen account details available for sale on the web, cyber criminals are turning to new methods using them efficiently to try to break into accounts.
According to a new report by risk analysis specialist Digital Shadows, 'credential stuffing' tools are the latest technique being used to automate attempts at account takeover.
Credential stuffing -- not as you might think the latest alternative to sage and onion -- is a type of brute force attack where large sets of credentials can be automatically inserted into login pages until a match with an existing account is found. The most common targets for these attacks are the gaming, technology, broadcasting and retail sectors.
Last year Digital Shadows found that 97 percent of businesses in the Forbes 1000 list had their credentials exposed, usually because employees had used the same details across multiple sites and platforms. Now criminals are recognizing that employees often have poor username and password discipline and are turning to mass automated credential stuffing attacks aiming to gain access to corporate networks.
"Many organizations are suffering breach fatigue due to the huge numbers of credentials exposed via not only high profile incidents like those suffered by MySpace, LinkedIn and Dropbox, but also from tens of thousands of smaller breaches," says Rick Holland, VP strategy at Digital Shadows. "But it is critical that businesses arm themselves with the necessary intelligence and insight to manage their digital risk and prevent this problem credential exposure from escalating into an even more severe problem."
To protect themselves from this type of attack, Digital Shadows recommends monitoring for leaked credential and mentions of a company on hacking forums. Companies should also employ a web application firewall, and increase user awareness of the dangers of password reuse.
You can get the full report and more protection tips on the Digital Shadows website.