Protect your business against credential stuffing

According to the 2018 Trustwave global security report, the retail sector is the top cyberattack target. It had the most breach incidences, at nearly 17%, followed by finance and insurance at 13% and the hospitality industry at nearly 12%.

The Superdrug cyberattack

Earlier last week, the health and beauty retailer, Superdrug, was targeted by cybercriminals. Hackers claimed to have information on 20,000 Superdrug customers and have attempted to secure a ransom payment in exchange for the information. This included customers’ names, addresses, dates of birth and phone numbers.

However, Superdrug said there is no evidence that internal systems have been compromised. It believed hackers obtained customers’ email addresses and passwords by hacking other websites and then used those credentials to access accounts on Superdrug’s website.

How did the attack happen?

Often businesses think that they are safe if their own data has not been stolen, but that is not true. There is a type of attack called credential stuffing, and the Superdrug incident is an example of this. Attackers purchase stolen logins and passwords from one website or organisation from the dark web, then gain unauthorised access to user accounts on another website through making repeated attempts with large-scale automated login requests.

The attacker automates the logins for thousands to millions of previously discovered credential pairs using standard web automation tools like Selenium, CURL, PhantomJS or tools designed specifically for these types of attacks like Sentry MBA. Attackers test stolen logins on various websites to find a match and gain access.

Despite years of warning, a lot of internet users still using the same passwords for all their online accounts, both personal and work-related. If attackers can gain access to one website with stolen user credentials, there’s a good chance those credentials will work with other websites. Therefore, the reusing of passwords makes credential stuffing attacks widely successful.

How can you protect your business?

Credential stuffing is a growing attack methodology and is a critical threat to organisations. Businesses have to invest in new technologies to protect themselves. For examples,

  • Deploy tools that can accurately detect if a login attempt is human or a bot through how quickly the credentials are entered or even how a device is held;
  • Detect whether stolen information is being used in a login attempt by running usernames and passwords against a known list of compromised credentials;
  • Limit the rate of logins to the page per IP or per session through WAF settings;
  • Employ multi-factor authentication. A popular way to do this would be requesting a one-time code sent to a user’s phone;

You should also educate and encourage customers to create strong and secure passwords and not to re-use passwords. It not only helps to protect your customers’ accounts but also your organisation as a whole.

According to research by specialist security website Cybersecurity Ventures, cybercrime will cost the world $6 trillion annually by 2021, and will be more profitable for the criminals than the global trade of all major illegal drugs combined. And with 6 billion internet users predicted by 2022, and more than 7.5 billion by 2030, there are a whole lot more potential perpetrators and victims to come.

So, on top of credential stuffing, what are the type of threats companies are facing, and what should you be looking out for?

To learn more about cybersecurity and how to protect your business from attacks, please click here to download our latest Cybersecurity eBook “Protect Businesses from Cybercrime and Data Breaches” or contact Team64.

It’s time to collaborate – join the revolution with Team64