Microsoft Office 365 remains an attractive target for cybercriminals as it continues to be used by businesses worldwide. The growing sophistication of AI tools has emboldened bad actors to repeat the history of credential stuffing attacks. In 2019, Microsoft revealed that more than 1.5 million malicious and spam emails were sent from thousands of compromised Office 365 accounts of their customers.
In December 2022, Norton users were put on high alert due to a credential stuffing attack. The security application was compromised, leading to the lockdown of approximately 925,000 accounts. A suspicious surge in login attempts from Norton Password Manager users triggered the lockdown. Post-investigation revealed that cybercriminals had successfully breached “thousands of accounts,” jeopardizing the personal information of numerous users. So, what do we need to prepare for in 2023 to protect our accounts from this type of cybercrime?
The mechanics of credential stuffing attacks
Credential stuffing attacks account for 34% of all login attempts, with malicious actors striving to hijack user accounts. But how does this process work, and what measures can counter these campaigns?
Credential stuffing is a prevalent cyberattack method where threat actors employ automated software to swiftly test stolen login credentials on various online accounts. The process involves:
1. Purchasing or downloading a list of usernames and passwords from the dark web, usually available after a data breach.
2. Setting up automated bots to attempt logins on multiple user accounts, often evading detection by masking their IP addresses.
3. Gaining access to accounts when the bots find a match enables attackers to steal personal information such as credit card numbers or social security numbers.
4. Monitoring the bots as they try successful password combinations on other accounts. Since 65% of people use the same password for multiple accounts, there is a high likelihood of breaching multiple accounts with the same password pair.
Credential stuffing vs. brute force attacks
Credential stuffing and brute force attacks are two distinct methods of cyberattacks. In credential stuffing, attackers use leaked or stolen password data from real accounts to attempt logins. Conversely, brute force attacks involve guessing commonly used passwords and dictionaries of common passphrases.
Credential stuffing threat actors are aware they possess genuine credentials and merely need to find a matching account. In contrast, those attempting brute force attacks lack context about the correct credentials of their targets, making these attacks reliant on blind luck or easy-to-guess passwords. Despite this, being a numbers game, credential stuffing can be highly profitable with automation.
The impact of credential stuffing
Victims of credential stuffing attacks face the risk of sensitive data theft, financial reputation damage, and potential identity theft. The consequences of such attacks include:
1. Compromised accounts: Threat actors could install spyware, steal or destroy data, or impersonate the account holder to send spam or launch phishing attacks on other targets.
2. Data leaks: Attackers often aim to breach financial institutions or high-value government targets, selling the stolen data on illicit online marketplaces to identity thieves and politically motivated gangs.
3. Account lockouts: Excessive failed login attempts could trigger your account’s security system to lock you out, potentially disrupting your business or limiting access to crucial accounts like email or banking.
4. Ransomware demands: State-sponsored hacking groups may seize control of a critical infrastructure facility or large enterprise to demand a ransom payment.
5. Increased cybersecurity risks:Stolen user credentials can be used for future attacks, putting victims and any closely related parties at greater risk following the initial breach.
6. Negative impact on business reputation:A company’s breach can significantly undermine consumer trust. When thousands or millions of users perceive a threat to their private data, it can cost a company on the stock market. The average cost of a data breach in 2022 was $4.35 million.
Recent examples of credential stuffing
- Major Outdoor Apparel Company, July 2022:Cybercriminals used credential stuffing to target this outdoor recreation apparel company, compromising almost 200,000 customer accounts and exposing details such as names, phone numbers, gender, purchase history, billing addresses, and loyalty points.
- Large Payment Processing Company, December 2022:This attack impacted nearly 35,000 user accounts, exposing names, social security numbers, and tax identification numbers, although no unauthorized transactions were reported.
- Prominent Fast Food Chain, January 2023:** The fast-food chain confirmed a breach that accessed over 71,000 customer accounts. Threat actors conducted a credential stuffing attack for several months, gaining access to customers’ reward balances, potentially physical addresses, and the last four digits of customer credit cards.
Countermeasures against credential stuffing attacks
The financial sector has seen a significant increase in credential stuffing attacks, with a 45% year-on-year growth reported in 2022. As businesses expand and attract a larger user base, they become increasingly attractive targets for cybercriminals. To combat this escalating threat, security teams can implement several countermeasures.
Implementing multi-factor authentication (MFA) can provide an additional layer of security, making it more challenging for threat actors to gain unauthorized access to accounts. Despite the recent breaches experienced by some popular password managers, these tools remain a cornerstone of modern digital security and should be utilized.
Promoting better password practices is crucial. Security teams should take a proactive stance in eliminating password reuse, discouraging the sharing of codes, and advising against writing login information on paper. These measures can significantly reduce the likelihood of insider attacks.
Malicious actors can build an army of automated bots
Security researchers from Microsoft have uncovered a large-scale phishing campaign that uses HTTPS proxying techniques to hijack Office 365 accounts. The attack is capable of bypassing multi-factor authentication (MFA) and has targeted over 10,000 organizations since September 2021.
Consistent monitoring of login attempts can help identify and thwart fraudulent activities. If a sudden spike in login attempts or unusual patterns is detected, the security team can block the associated IP address and alert legitimate users about the attempted hack.
Another effective defensive mechanism is rate-limiting. This strategy prevents malicious bots from making excessive login attempts quickly, effectively stalling the progress of automated attacks.
Monitoring the dark web can keep security teams one step ahead of emerging cyber threats. By keeping an eye on collections of usernames and passwords available on the dark web, vulnerabilities can be reinforced before an attack occurs.
Security teams have a responsibility to protect and educate users. Malicious actors can build an army of automated bots that run thousands or millions of fraudulent login requests daily. To combat this growing threat, users must be encouraged to adopt good password practices and use reliable password managers. However, the primary responsibility for data protection lies with website security teams and app providers. A multi-faceted approach combines robust access control, threat monitoring, and rate-limiting safeguards to disrupt the attack cycle and keep threat actors at bay. Ultimately, the most potent defense is built on education and fostering a culture of security.
Microsoft recommends that organizations set up policies to monitor inbox rules that could have suspicious purposes or to trigger alerts for unusual amounts of mail access events by untrusted IP addresses or devices.