As fraudsters seek easier marks, credential stuffing tactics rise
Not unlike consumers finding it convenient to make a one-click payment online, fraudsters want less friction as they steal payment or personal credentials.
"They want to click a button and get in," said Gade Bassett, a contributing author of Verizon's annual Data Breach Investigations Report and a senior information security data scientist at Verizon. "They don't want to spend a lot of time developing exploits or taking on multiple complex security layers."
This year's Verizon report indicates fraudsters are now zeroing in on C-level executives, or those who have access to the networks and databases that store credentials, and taking advantage of integration errors that cause vulnerabilities in cloud-based networks.
Verizon analyzed 41,686 security incidents in compiling the report, with 2,013 of those being confirmed breaches in 86 countries.
Senior executives are 12 times more likely to be the target of social channel incidents and nine times more likely to be the target of such breaches than in previous years, the report concluded. Increasingly, social engineering attacks on business e-mails resulted in compromises in 370 incidents, and 248 confirmed breaches, according to the Verizon report.
Fraudsters perform massive "credential stuffing" efforts in which log-in and password pairs are tried through botnets on every system reachable on the internet.
"They try them against banks, retailers, service providers, payments or corporate e-mail servers," Bassett said. "Most of the technology paths are short paths, and when you look at the first thing that happened in a hack, it is the use of stolen credentials or a human mistake."
The use of stolen credentials to infiltrate Web applications is on the rise, as 60% of the time, a compromised web application vector was the front end to cloud-based e-mail servers, the report noted. More than 40% of the investigated breaches pointed to a Web app attack as the hackers' pattern of choice.
"Credential-based attacks jumped quite a bit from 2017 to 2018 (from 12% to 38% in financial breaches)," said Julie Conroy, research director and fraud expert with Boston-based Aite Group. "This is consistent with the conversations I am having across the industry, in which credential stuffing comes up time and time again as a major source of pain."
Encouragingly, breaches involving payment card data dropped to 14% in 2018, from 33% in 2017. Verizon cites the ongoing implementation of EMV chip cards, and its use in more POS and ATM settings, as a reason for that decline.
"Even if EMV is not perfect, by making the transmitted information a single transaction [credential] instead of a credit card number that could be used elsewhere, we have reduced the potential of what we call zero-cost margin attacks against credit cards," Bassett said.
A zero-cost margin attack could occur after a hacker compromises a payment processor or retailer and obtains thousands to millions of credit card account details. Some of those credentials can help grant access to other organizations that also hold card databases, and it costs the hacker next to nothing to exploit this data.
"Now, the hacker generally has to attack cards individually and they can't just get them all at once," Bassett added. "That causes the attacker to switch from that process and seek an easier path."
Thus, fraudsters are moving away from physical payment terminals and finding far more success in sending phishing e-mails to senior executives. Such tactics can reap large dividends because those executives have approval authority that is rarely challenged, as well as privileged access to critical systems, the report said.
Hackers are getting into far more cloud-based e-mail accounts through stolen credentials. That access, combined with misconfiguration errors in publishing in the cloud, led to the exposure of at least 60 million records, the Verizon investigations found.
"A lot of cloud-based stuff is simple error," Bassett said. "We've known for a long time that when companies expose online cloud storage to the regular internet, those are just mistakes in integration."
Most often, it remains just that — people making mistakes. "Those with access are not doing evil things or anything like that, but it is still good to consider and check a company's procedures, and double-checking the cloud storage," Bassett added.
Sensitive data in the cloud should be available only to those who need it, not as part of a public storage process, Bassett said.
"Sometimes a company will store its database without realizing it is too easy to access," he added. "Doublechecking is important, and it's just a good way to avoid an expensive data breach."
Increased diligence could do much to alleviate another ongoing problem the 2019 report cited — that 56% of the breaches took months or longer to discover.
"We just don't seem to be making a lot of progress on that front," Aite's Conroy said.