Automated brute force attacks, also known as automated threats, are growing increasingly sophisticated. The Open Web Application Security Project (OWASP) currently lists 21 different methods of automated threats used by cybercriminals to hack into user accounts, ranging from CAPTCHA Defeat, which uses software to solve anti-automation tests, to Token Cracking, which attempts to identify valid token codes that provide some form of user benefit within the application, such as cash alternatives, non-cash credits, discounts, or access to limited offers.
What Is Credential Stuffing?
Other methods, such as credential stuffing and password spraying, can cause more widespread damage and yield more profitable results. In a credential stuffing attack, the attacker collects lists of stolen account credentials (usually from the dark web, where they are easily obtainable). Typically, these lists contain usernames and/or email addresses with corresponding passwords. Using bots, the attackers use the stolen credentials to gain unauthorized access to user accounts through large-scale automated login requests directed against a web application.
What Is Password Spraying?
Password spraying is a similar method but depends on usernames in lieu of a full set of credentials. The attack is executed by taking a verified username and plugging it into several accounts in combination with several different common passwords. Credential cracking uses common usernames or passwords, or initial username evaluation, for the same goal.
SpyCloud notes these automated methods are relatively easy and popular to use by “less experienced cybercriminals because they rely on downloadable tools., enabling them to “test large volumes of stolen usernames and passwords across multiple sites until one works.”
They’re successful because of two primary reasons: first, many organizations still allow their customers and employees to use password-only logins without multifactor authentication; second, users (employees and customers) are so overwhelmed by the number of logins they have (upwards of 200 on average) that they resort to reusing passwords across multiple accounts. Despite years of constant urging by security experts for companies to adopt two-factor or multifactor authentication, many still don’t, leaving themselves, and their customers, open to an ever-increasing threat.
Recent Poker Credential Stuffing Attack
The popularity of cryptocurrencies only adds another layer of opportunity, as seen in the recent attack on Americas Cardroom (ACR), the flagship room of the Winning Poker Network (WPN), which was recently reported by Poker.org, a gaming media outlet. In this attack, player’s accounts were breached by a credential stuffing attack that “successfully accessed several accounts and made (or attempted to make) withdrawals to cryptocurrency accounts such as Bitcoin wallets.” After ACR confirmed the attacks, which were first revealed on Twitter by a customer, then spread on an online Poker Fraud Alert Board, they refunded the victim’s losses, which ranged from high-four-digit and low-five-digit sums. The company also had to fight back against rumors the hack was an inside job, with an ACR spokesperson saying, “To be clear, this attack was completely from an external third party,” The company also said, “We’ve patched this vulnerability and zero player balances were lost.” Regardless of who made who whole, someone’s money disappeared.
Discussing the attack, Andrew Moyad, Shared Assessments CEO, said,
“…this is a fascinating example of conventional brute force attack coupled with automated, distributed requests (DDoS in reverse), which really speaks to the need for 2FA/MFA, especially for transactional sites. Where a hacker can more easily pick up working combinations of username-password (even just in browser caches) from typical challenge-response designs on conventional sites, MFA would essentially mitigate if not eliminate this risk if applied correctly. On net, conventional challenge-response authentication design is grossly insufficient in today’s world.”
How To Defend Your Organization From A Credential Stuffing Attack
Read more about the incident on Poker.org, learn about the different types of automated threats on OWASP’s website, and take action on these recommendations recently issued from CISA and the FBI on how to fortify your cybersecurity:
- Enable multifactor authentication.
- Set antivirus and antimalware programs to conduct regular scans.
- Enable strong spam filters to prevent phishing emails from reaching end users.
- Update software.
- Filter network traffic.