Table of Contents

Credential stuffing attacks are on the rise, and business owners need to be aware of how they work in order to protect their online accounts and data.

In short, credential stuffing is when cybercriminals use lists of stolen or leaked usernames and passwords to try and login to various accounts en masse.

The attack is automated using bots, and it is easy to scale up. Even with a relatively small list of stolen credentials, an attacker can potentially gain access to a large number of accounts.

The objectives of credential stuffing attacks

Before we dive into the process credential stuffers use to execute their attacks, let’s review why they complete these attacks in the first place.

Credential stuffing attacks are usually motivated by one or more of the following objectives:

  1. Financial gain: The attacker steals credit card numbers or other sensitive information that can be sold on the black market.
  2. Disruption: The attacker wants to cause disruption to a particular business or individual.
  3. Espionage: The attacker is looking to gain access to sensitive information for competitive intelligence purposes.

As you can see, these credential stuffers are up to no good. Let’s take a look at how they actually execute their attacks.

An overview of the process to complete a large-scale credential stuffing attack

If you’ve ever wondered how credential stuffing attacks work, here is the process in a nutshell:

1. The attacker obtains a large list of stolen credentials.

They acquire the list by purchasing databases of stolen credentials or by using credential harvesting malware to steal credentials from infected devices.

2. The attacker deploys automated bots to try the stolen credentials on other websites and services.

When one of the stolen credentials succeeds, the attacker enters the compromised account.

3. The attacker explores the account and looks for sensitive information, such as credit card numbers or personal data.

If they find any valuable information, they exfiltrate it. Otherwise, they move on to the next account.

4. The attacker repeats steps 2-3 until they have exhausted the list of stolen credentials or found the information they’re looking for.

Credential stuffing attacks are a serious threat to businesses and individuals alike. They can lead to the loss of sensitive data, financial losses, and damage to reputation.

Now that you understand how credential stuffing attacks wreak havoc on their victims, we can dive deeper into the logistics of the attacks.

The latest credential stuffing developments that facilitate attacks

Here are a few recent trends and developments that empower cybercriminals to complete credential stuffing attacks:

1. The rise of credential stuffing as a service

In the past, credential stuffing attacks were mostly carried out by experienced cybercriminals. However, the rise of credential stuffing as-a-service has made it possible for anyone to launch an attack.

Criminal organizations offer subscription-based services that provide access to a botnet, which can be used to carry out credential stuffing attacks. The botnet is usually composed of compromised devices, such as home routers.

2. Advancements in artificial intelligence

Artificial intelligence (AI) is being used to carry out credential stuffing attacks with increasing frequency. AI-powered credential stuffing tools can automatically generate credential lists by combining information from multiple data sources.

This allows credential stuffing attacks to be executed at a much larger scale than before.

3. The use of Tor in credential stuffing attacks

Tor is a decentralized network that allows users to browse the internet anonymously. It is often used by criminals for illegal activities, such as drug trafficking and… you guessed it, credential stuffing attacks.

By using Tor, attackers can conceal their identity and location. This makes it more difficult for victims to trace the activity back to the attacker.

4. The role of large-scale data breaches in credential stuffing attacks

As we mentioned earlier, credential stuffing attacks are usually carried out with lists of stolen credentials that are available for purchase on the Dark Web. These lists typically contain millions of stolen credentials. They are goldmines for attackers.

But where do these credential dumps come from? Many of them are the result of large-scale data breaches.

In recent years, there have been a number of high-profile data breaches that have resulted in the theft of billions of credentials.

A notable example includes the Yahoo! data breach, which resulted in the theft of 3 billion credentials.

These large-scale data breaches have made it possible for criminals to carry out credential stuffing attacks on a much larger scale than before.

5. The wrath of botnets

Botnets are networks of compromised devices that can be used to carry out credential stuffing attacks. The most common type of botnet is composed of home routers that have been infected with malware.

This malware allows the attacker to take control of the router and use it to send credential stuffing requests on a massive scale.

In recent years, botnets have become a powerful tool for attackers. They have been used to carry out a number of high-profile credential stuffing attacks.

6. The advancement of cloud-based credential stuffing tools

Cloud-based credential stuffing tools have become increasingly popular in recent years. These tools allow criminals to launch credential stuffing attacks without having to install any software on their own devices.

This makes it possible for anyone, even those with limited technical knowledge, to launch an attack.

How attackers acquire lists of stolen credentials

There are two main ways attackers acquire lists of stolen credentials: credential dumps and credential harvesting malware.

  • Credential dumps are databases of stolen credentials that are available for purchase on the Dark Web. As we mentioned earlier, these databases typically contain millions of stolen credentials.
  • Credential harvesting malware is malicious software that infects devices and steals credential information. The malware can compromise devices in a number of ways, such as through phishing emails or by exploit kits that target vulnerabilities in software.

Once the malware is on a device, it will harvest credential information from the browser’s password manager or steal credentials that are entered into web forms. The harvested credentials are then sent to the attacker, who can use them in credential stuffing attacks.

credential stuffing attacks

How credential stuffing attacks are automated

Credential stuffing attacks are automated using bots. Bots are programs that can automate tasks, such as filling out web forms or making HTTP requests.

Attackers use bots because credential stuffing attacks require a large number of credential attempts to be made in a short period of time. If an attacker tried to force their way into accounts using stolen credentials, they would quickly get locked out. However, by using bots, attackers can make credential attempts at a much higher rate without getting blocked.

Types of bots used for credential stuffing attacks

The two most common bots criminals use for credential stuffing attacks are web bots and scraper bots. Let’s take a look at each one:

  • Web bots interact with websites in the same way that a human user would. They can fill out web forms and make HTTP requests. Web bots are typically used to brute-force login pages.
  • Scraper bots scrape websites for data. They can be used to scrape credential dumps from the Dark Web or to harvest credentials from infected devices.

How bots avoid getting locked out of accounts during a credential stuffing attack

Bots become smarter with each year that passes. When executing a credential stuffing attack, here are the two main ways bots avoid getting blocked:

  1. Using proxies: Proxies are servers that act as intermediaries between the bot and the target website. When using proxies, each credential attempt appears to come from a different IP address, making it harder for the target website to detect and block the credential stuffing attack.
  2. Rotating credentials: When credential stuffing attacks involve large numbers of stolen credential pairs, the chances of one of the credential pairs being locked out are relatively low. To further reduce the chances of getting locked out, bots will rotate through different credential pairs with each attempt.

Types of credential stuffing attacks

Here are the most common types of credential stuffing attacks:

API credential stuffing

API credential stuffing attacks target application programming interfaces (APIs). APIs are used by applications to interact with each other. For example, when you log in to a website using your Facebook credentials, the website is using Facebook’s API.

Brute-force attacks

Brute-force credential stuffing attacks involve repeatedly trying to log in to an account using different credential pairs. The attacker will continue trying to log in until they either succeed or get locked out.

Password spraying

Password spraying is a credential stuffing attack that targets multiple accounts with the same password. The attacker will try the password on a large number of accounts in the hope that a small number of them will use the same password.

Dictionary attacks

Dictionary credential stuffing attacks involve trying a list of common passwords on a large number of accounts. Dictionary attacks are often used in conjunction with password spraying.

Tools attackers use to mimic human behavior

Attackers often use tools to mimic human behavior when carrying out credential stuffing attacks. This helps them avoid detection and makes it more likely that the credential attempt will be successful.

The tools attackers use to mimic human behavior include:

  • DevTools: Many attackers use the DevTools panel to inspect the website’s HTML and JavaScript code. This information can be used to understand how the website works and to find ways to automate interactions with the website.
  • Browser Plug-ins: The attacker can use browser plugins, such as Selenium or Puppeteer, to automate interactions with the website.
  • Anti-detect browsers: Often, attackers use anti-detect browsers, such as Tor Browser or Whonix, to make it harder for the website to detect that the credential stuffing attack is being carried out by a bot.

These tools can be powerful, but they’re never perfect. With the right strategies and software, you can distinguish bot behavior from genuine human interactions.

How organizations can detect credential stuffing attacks

Credential stuffing attacks can be detected in a number of ways, such as through rate-limiting and anomaly detection.

  • Rate-limiting is a security measure that limits the number of requests that can be made to a website from a single IP address.
  • Anomaly detection is a security measure that uses machine learning to detect unusual behavior, such as a large number of failed login attempts. Anomaly detection can be used to detect credential stuffing attacks in real-time and block the attacker’s IP address.

What to do if you’re at risk of credential stuffing attacks

Honestly, you are already at risk of a credential stuffing attack if your website or mobile app offers visitors the opportunity to purchase something.

Here are a few steps you can take to protect yourself from credential stuffing attacks:

1. Use a strong password manager

A password manager can help you generate and store strong passwords for all of your online accounts. This will make it harder for attackers to brute-force their way into your account if they steal your credentials.

2. Use two-factor authentication

Two-factor authentication secures your account with an additional layer of protection. Even if an attacker manages to steal your credentials, they won’t be able to access your account without the second factor, such as a code that is sent to your phone.

3. Be careful of phishing emails

Phishing emails are a common way for attackers to infect devices with credential harvesting malware. Be careful of any email that asks you to click on a link or download an attachment, even if it appears to be from a trusted sender.

4. Keep your software up to date

Attackers often use exploit kits to infect devices with credential harvesting malware. These kits target vulnerabilities in software, so it’s important to keep your software up to date to make sure that you’re not vulnerable.

5. Monitor your account for unusual activity

If you notice any suspicious activity on your account, such as login attempts from unfamiliar IP addresses, it’s possible that you’re being targeted in a credential stuffing attack. Change your password and enable two-factor authentication if you notice any suspicious activity.

6. Invest in a bot mitigation solution

A bot mitigation solution can help you detect and block credential stuffing attacks. At Kasada, we offer protection against automated threats for web, mobile, and API channels. Our solution provides effective bot mitigation that is easy to deploy and scale.

Ready to stop bad bots for good?

If you’re ready to take action against credential stuffing attacks, we can help. Bot mitigation is our specialty at Kasada, and we’re here to help you protect your website or mobile app from automated threats.

Request your demo of the most intelligent bot mitigation solution on the market.

Want to learn more?

  • Why CAPTCHAs Are Not the Future of Bot Detection

    I’m not a robot” tests are definitely getting harder. But does that mean more complex CAPTCHAs are the right path forward to outsmart advancing AI and adversarial technologies?

  • The New Mandate for Bot Detection – Ensuring Data Authenticity

    Can the data collected by an anti-bot system be trusted? Kasada's latest platform enhancements include securing the authenticity of web traffic data.

Beat the bots without bothering your customers — see how.