Credential stuffing attacks are extremely easy to carry out and offer a massive return on investment, according to a new report by researchers at Recorded Future. These attacks utilize account-checking software to test millions of credentials leaked in data breaches against thousands of different online services. The researchers estimate that an investment of $550 can net an attacker nearly $20,000 in gross profits.
Over the past several years, credential stuffing has exploded in popularity. The efficiency of the attacks drew the attention of more sophisticated actors, who developed tools that supported custom configuration files. These plugins can be purchased, obtained for free, or developed by users themselves. Recorded Future says this development “essentially offered hackers the capability to target almost any company with an online retail presence.”
These tools are also cheap. Most sell for under $50, and several are free of charge. The profitability and success rate resulting from the widespread, automated nature of these attacks is hard to overstate.
“Although the competition quickly brought the average price of a single compromised account from over $10 down to a mere $1 to $2, the overall profitability of credential stuffing attacks increased significantly through sheer volume,” the researchers write.
Given the number of online services the average employee re-uses, combined with the massive amount of breached credentials available online, the researchers say that it’s “safe to assume that almost every large organization with an online retail presence has had their users exposed to credential stuffing attacks in the past few years.”
To defend against this threat, Recorded Future recommends that users implement multi-factor authentication and use a password manager to generate unique passwords for each of their accounts. New-school security awareness training can equip your employees with the knowledge necessary to defend themselves against these attacks in their professional and personal lives. Recorded Future has the story: https://www.recordedfuture.com/credential-stuffing-attacks/
Stop, Look, and Think. Don’t be fooled.
If you’re concerned that your business might be a sitting duck for a cyber attack?
Click here to schedule a Free IT Security Assessment.
SCA uses KnowBe4 to train and empower your employees to understand the red flags for a cyber attack.