What is Credential Stuffing?
Credential stuffing is something every business owner should be aware of as it can be a potential vulnerability through which attackers gain access to your data.
What is credential stuffing?
Credential stuffing is where a hacker or group of hackers use already obtained usernames, email addresses and passwords with the intention of trying to break into another website.
Credential stuffing is not a specific type of attack, it’s an attempt to breach users accounts. It can also mimic other types of attack.
One of the types it can resemble is a Distributed Denial-of-Service (DDoS) style attack.
If the attacker is careless in their implementation, they could overload your server and make it seem like something else.
This, in turn, could lead you to respond in a manner which actually benefits the attacker by “throwing more resources at the problem”, allowing them additional opportunities they can use to test their logins.
How can credential stuffing be achieved?
Credential stuffing can be performed in several ways. One of the original ways of carrying out an attack is via a human farm attempting each login in a list they have been given.
However, technology, in the form of bots, is taking over and becoming the more common method to carry out credential stuffing. Here we highlight the distinct types:
- Via a single bot on a hacker’s machine,
- A suite of bots or a hacker using several machines,
- Cloud contained servers,
- By using an already established botnet and the computers of the botnet victims.
The sophistication of the bot, or what human agents are carrying out, varies a lot between the sites being targeted and is also dependent on the technologies being used by the websites being attacked.
So, let’s look at a few technology types and how bots could run on these systems.
RESTful or HTTP/s API Website
Websites using a HTTP/s based API to authenticate without any form of pre-auth tokens are at risk from a malicious bot firing thousands of requests at the API Server without ever touching a Web Browser.
Websites using page request server-side handling (commonly known as POST)
The same method as above is also a vulnerability here. A bot could just build the raw data sent that’s normally built by a web browser and send to the Web Server. While this would result in it getting larger responses in the form of HTML, which it would need to parse instead of just reading a response designed for quick access, an understandable response would not take much effort.
On more secured connections
We’ve covered the older, and more insecure methods which can be easily attacked without any sophisticated methods.
Now we’ll look at how you can still be vulnerable with a more secured connection.
You’ve got your security set up so people must use your website to send requests to your server. In other words, you have a Web Application Verification.
This means the bot now must use your web application and pretend to be a human in order to complete the login form over and over again because if they don’t, then any edge protection in place (like Cloudflare), would prevent them fairly quickly.
How to protect against credential stuffing attacks
Veracity Trust Network’s Web Threat Protection can protect your website from a subset of methods in which your own website is used against you to perform credential stuffing.
It should be an integral part of your wider cyber security suite which should have good Edge Node and Proxy Protection systems in place like Cloudflare or Amazon Cloud Front with good Web Application Firewall (WAF) Rules.
You also need to make sure your system communicates in such a way that only allowed applications can send requests to it. You should also have login protection systems in place like “This IP Address or Session has failed to log in five times in quick succession, therefore block all subsequent requests for X amount of time.”
While Veracity Trust Network’s Web Threat Protection can certainly help protect your online presence via your website from some forms of Credential Stuffing attacks, it is not a failsafe.
Credential Stuffing isn’t a “single vector” type of attack, there are multiple vulnerabilities where malicious bots could attack your system if you have not secured against it. Make sure you have a complete solution in place for protecting your applications.
Veracity Trust Network protects your business
Founded in 2016, Veracity was formed with one intention: to fight the rise of malicious bot activity.
Our technology began life as a tool to intelligently detect click fraud and save money for businesses using online advertising. Once it became clear that our AI-powered detection engine could do even more, and protect people from legitimately dangerous bot attacks and compromised data, we developed Veracity Web Threat Protection.
Elegantly designed to mitigate everything from data theft attempts to advertising click fraud, our engine solves problems for multiple business functions. From security to finance, marketing to data analysis, customer experience and reputation management.
It is award-winning technology* applicable to any business operating a website and works to block a wide range of bot attacks, preserving website performance, while optimising infrastructure costs and security resources.
Start protecting your website and ad spend from bot attacks by booking a call now:
*Winner ‘Tech Innovation of the Year 2023’, Leeds Digital Festival Awards, Highly Commended ‘Best Use of AI 2023’, Prolific North Tech Awards, Shortlisted ‘Cyber Security Company of the Year 2023’, UK Business Tech Awards, Winner ‘Best Innovation 2022’, Best Business Awards, shortlisted ‘Innovation in Cyber 2022’, The National Cyber Awards, Shortlisted ‘Emerging Technology of the Year 2022’, UK IT Industry Awards as well as holding Verified by TAG status.