In the 2019 Application Protection report, F5 Labs found a majority (51.8%) of breaches in 2019 were caused by access control attacks. The breaches resulted from stolen login credentials obtained by phishing and brute force. Stolen credentials, obtained from other sources, were also prominently used as part of credential stuffing attacks.
Today, the problem is accentuated by a massive proliferation of unwanted bots. Many can now even evade antibot controls. Here’s what you need to know (and do).
Attackers often employ automation, using bots to launch and orchestrate credential stuffing campaigns. Notable point-and-click attack credential tools include Sentry MBA,1 OpenBullet,2 BlackBullet, Snipr, STORM, and Private Keeper. Attackers also leverage basic open source operational tools like Wget, Selenium, PhantomJS, and cURL to simulate a browser running scripted web login sessions.
To perform a credential stuffing attack, the tool needs a stolen credential list to run against the targeted web login. These credential lists are simply a file of usernames (usually email addresses) and passwords. If the attacker hasn’t already obtained a batch of them through phishing, they can easily turn to the dark web. The lists can be loaded right into the attack tools.
Many sites often only have a basic web application firewall (WAF), or nothing at all. Some WAFs do not detect or defend against credential stuffing attacks. In general, WAFs are designed to block application attacks, malformed requests, and web exploits. A credential stuffing attack looks like a legitimate web login. There will be many of them at once, and many with incorrect passwords, so these things can look suspicious. This assumes that the defender is watching their failed login attempts and noting surges. The reality is that credential stuffing is often mistaken for a denial-of-service attack. The login pages then become overwhelmed with failed logins, and either the site crashes or customers can’t get in. There have been cases of backend infrastructure failing under the heavy load of authentication requests.
Once an attack is identified, it is time to stem the tide. Some basic defensive measures include inspecting and blocking the web session, which some WAFs can do. If the attack tool or bot uses plain web login requests, then the user agent (used by a web browser to advertise and identify itself to a web server) may be identified as irregular and blocked.
Another basic defense is using IP address denylists to block the known bad IP addresses. The denylist is often based on simple geographic origins, IP addresses from earlier attacks, or canned third-party reputation lists of known attackers. Another tool is rate limiting of login attempts, which unfortunately applies to both attackers and customers. This makes it hard to find the right balance.
The next step beyond this is to add a CAPTCHA test to the login process. The downside is that CAPTCHAs can annoy customers and can also be a barrier for people with disabilities.
The cybercrime community already knows how to work around these simple defenses. Most of the time, the real work for attackers is configuring and adapting their readily available tools for the specific victim’s website and modifying the scripts.
Attackers rarely use a stable, known set of bots. Once those bots are reputation filtered, they have plenty of other victimized computers and IoT devices for launching attacks. Bots often run on consumer Internet connections, which use dynamic IP addressing that continually changes addresses. Blocking based on geographic origin is also ineffective, as attackers use bots from around the world. Most credential stuffing attack tools have configuration options to load and use new lists of proxies.
As rate limiting is also often based on the originating IP address, this defensive tool is neutered by bot IP address hopping. Furthermore, attackers can configure their bots to stagger attacks and spread out between addresses. This means bots can come in at different times, from a multitude of places, to slip around rate limiters and IP address blockers.
Many credential stuffing bot tools can imitate a real browser. A simple fakeout is to forge a user agent. Bots can also spoof a referrer request header, which identifies the URL linked to the requested webpage. These headers provide a way for websites to loosely check the customer clickstream legitimacy. Many of these basic techniques can be enough to imitate a customer’s browser and evade basic WAF blocking rules.
Naturally, attackers have worked out ways around CAPTCHAs. Many attack tools have optional plugins to match and supply answers for thousands of known CAPTCHA puzzles. F5 Labs researchers recently wrote a detailed analysis of the CAPTCHA solver market, including how CAPTCHAs are often a whack-a-mole response rather than a definitive solution to the problem.
Some bot scraping tools look for scripted mouse movements or keystrokes. These too can be spoofed with a wide variety of tools. For example, BezMouse simulates humanlike mouse movements with Bézier curves to evade antibot defenses.
Ultimately, the best defenses against credential stuffing bot attacks need to be sophisticated. It begins with gathering a combination of factors on the web user. These factors are then scored and weighted using machine learning to weed out bots. Intelligent antibot systems can also spot the predictability of pseudorandom mouse and keyboard actions. In addition, they can interrogate the user’s browser during the web session. This interrogation looks for the characteristics of a real browser on an actual computer (such as the ability to run JavaScript). Even the login and password combinations can be examined in real time to check if they are part of known leaked credential databases.
Bot-driven credential stuffing attacks – especially against weak defenses – can be relentless and cybercriminals adapt fast. The key is to make it difficult for them, raising the cost and complexity of an onslaught to make attacks as undesirable as possible.