WEBINAR | A Deep-Dive into 2023 Cyber Threats
Reduce Alert Noise and False Positives
Boost your team's productivity by cutting down alert noise and false positives.
Automate Security Operations
Boost efficiency, reduce burnout, and better manage risk through automation.
Dark Web Monitoring
Online protection tuned to the need of your business.
Maximize Existing Security Investments
Improve efficiencies from existing investments in security tools.
Beyond MDR
Move your security operations beyond the limitations of MDR.
Secure with Microsoft 365 E5
Boost the power of Microsoft 365 E5 security.
Secure Multi-Cloud Environments
Improve cloud security and overcome complexity across multi-cloud environments.
Secure Mergers and Acquisitions
Control cyber risk for business acquisitions and dispersed business units.
Operational Technology
Solve security operations challenges affecting critical operational technology (OT) infrastructure.
Force-Multiply Your Security Operations
Whether you’re just starting your security journey, need to up your game, or you’re not happy with an existing service, we can help you to achieve your security goals.
Detection Investigation Response
Modernize Detection, Investigation, Response with a Security Operations Platform.
Threat Hunting
Locate and eliminate lurking threats with ReliaQuest GreyMatter
Threat Intelligence
Find cyber threats that have evaded your defenses.
Model Index
Security metrics to manage and improve security operations.
Breach and Attack Simulation
GreyMatter Verify is ReliaQuest’s automated breach and attack simulation capability.
Digital Risk Protection
Continuous monitoring of open, deep, and dark web sources to identify threats.
Phishing Analyzer
GreyMatter Phishing Analyzer removes the abuse mailbox management by automating the DIR process for you.
Integration Partners
The GreyMatter cloud-native Open XDR platform integrates with a fast-growing number of market-leading technologies.
Unify and Optimize Your Security Operations
ReliaQuest GreyMatter is a security operations platform built on an open XDR architecture and designed to help security teams increase visibility, reduce complexity, and manage risk across their security tools, including on-premises, clouds, networks, and endpoints.
Blog
Company Blog
Case Studies
Brands of the world trust ReliaQuest to achieve their security goals.
Data Sheets
Learn how to achieve your security outcomes faster with ReliaQuest GreyMatter.
eBooks
The latest security trends and perspectives to help inform your security operations.
Industry Guides and Reports
The latest security research and industry reports.
Podcasts
Catch up on the latest cybersecurity podcasts, and mindset moments from our very own mental performance coaches.
Solution Briefs
A deep dive on how ReliaQuest GreyMatter addresses security challenges.
White Papers
The latest white papers focused on security operations strategy, technology & insight.
Videos
Current and future SOC trends presented by our security experts.
Events & Webinars
Explore all upcoming company events, in-person and on-demand webinars
ReliaQuest ResourceCenter
From prevention techniques to emerging security trends, our comprehensive library can arm you with the tools you need to improve your security posture.
Threat Research
Get the latest threat analysis from the ReliaQuest Threat Research Team. ReliaQuest ShadowTalk Weekly podcast featuring discussions on the latest cybersecurity news and threat research.
Shadow Talk
ReliaQuest's ShadowTalk is a weekly podcast featuring discussions on the latest cybersecurity news and threat research. ShadowTalk's hosts come from threat intelligence, threat hunting, security research, and leadership backgrounds providing practical perspectives on the week's top cybersecurity stories.
April 18, 2024
About ReliaQuest
We bring our best attitude, energy and effort to everything we do, every day, to make security possible.
Leadership
Security is a team sport.
No Show Dogs Podcast
Mental Performance Coaches Derin McMains and Dr. Nicole Detling interview world-class performers across multiple industries.
Make It Possible
Make It Possible reflects our focus on bringing cybersecurity awareness to our communities and enabling the next generation of cybersecurity professionals.
Careers
Join our world-class team.
Press and Media Coverage
ReliaQuest newsroom covering the latest press release and media coverage.
Become a Channel Partner
When you partner with ReliaQuest, you help deliver world-class cybersecurity solutions.
Contact Us
How can we help you?
A Mindset Like No Other in the Industry
Many companies tout their cultures; at ReliaQuest, we share a mindset. We focus on four values every day to make security possible: being accountable, helpful, adaptable, and focused. These values drive development of our platform, relationships with our customers and partners, and further the ReliaQuest promise of security confidence across our customers and our own teams.
More results...
You may have read about the recent attack affecting motoring powerhouse General Motors (GM), that resulted in significant numbers of GM’s customers having their accounts compromised. Wedding planning company Zola was also impacted by a similar attack in the same week of May 2022, with the attackers using the compromised accounts to redeem gift cards. Exactly how did this happen? Well, it turns out that customers’ accounts were impacted by a credential stuffing attack, in which attackers took previously compromised credentials and scanned the wider internet to verify if these credentials are used across other services. In our previous blog, we likened credential stuffing to an attacker obtaining a bag full of keys and trying to unlock a series of doors; if you try long enough, you might just find one that fits. Credential stuffing is a simple yet effective attack, which we’ll detail in the following blog.
We all love a good flow chart, right? A credential stuffing attack works first by an attacker gaining access to a tranche of credentials—i.e. username and password combinations—which can be input into a credential stuffing tool. These accounts might be your social media accounts, your work portal, or a login to your online bank account. Our recent research report covering the wider topic of account takeover (ATO) covers many of the methods actors use to initially steal accounts, which are mostly conducted through social engineering, malware, or simply by purchasing or renting off other threat actors. This initial step is represented on the attack lifecycle graph below.
Once an actor has accounts—which often involves tens of thousands of accounts at a time—they can kick start their credential stuffing tool of choice. The example provided in our research report was OpenBullet, which is one of the most commonly used; there are however a huge number of alternative credential stuffing tools available for cybercriminals, which are typically available either for free or for as little as $20.
As you’d expect, making repeated login attempts in a very short space of time is likely to set off all kinds of alarm bells on online services, so threat actors are required to use proxy IP addresses to obfuscate the nature of their activity. Proxies essentially allow actors to make multiple login attempts using different IP’s, thus making it more difficult to identify that your service is under an attack. Without proxies, a credential stuffing attack would fail pretty quickly. This also applies to password spraying attacks, which involve testing multiple commonly used passwords against a user account, rather than applying a known credential combination that has been identified as in use at another service. While we’re on the topic, credential stuffing should also be thought as separate to brute forcing attacks, which rely upon guessing the password combination for a given username, and has no prior context before the attack is conducted. With that in mind, it’s likely that credential stuffing will encounter more success than brute forcing or password spraying attempts.
As you’d expect, proxies are typically sold for fairly cheap prices on cybercriminal forums. Actors will often be required to use certain proxies across individual services (dependent on the security processes of the service being targeted), which can also be seen reflected in the example below.
Another absolutely vital component of a credential stuffing attack is the attacker gathering configs for the target service. Config files contain instructions for automating certain actions, usually for web resources. They include metadata (like a name, an author, and an icon) that acts as a README file showing how to use it or what it’s for, some settings, and instructions. In
essence, a config tells the credential stuffing tool where to direct its usernames and passwords, and how to determine whether it has successfully logged in or not. Session cookies are also often required in order to ascertain that the login attempt has not been made to a new device; if purchasing configs from another actor, they’ll usually provide these in the same package.
Once the configs have been established for a targeted service, the threat actor can initiate their attack, firing thousands of username-password combinations to the desired website, reporting any success within seconds. Once there’s a match, the attacker can utilize the credentials manually, crack into accounts to commit online fraud, or sell onto another third party for profit. Ultimately, with the keys to your account, they can do as they please.
We’re probably starting to sound like a broken record, but as outlined by our recents blogs and research report, credential stuffing—and several other account based attacks—work because of the inherent risks users are taking with their accounts. Using weak and guessable passwords, reusing passwords across multiple services—both corporate and personal—and failing to implement sufficient controls to manage the risk and identify abuse as it occurs.
Keeping credentials in a safe, solitary, place where they can be managed and audited is another area where users are falling short. There’s a really easy and obvious solution to remediate this problem, by simply using a password manager. A password manager is a dedicated online service or locally installed software, which stores all your passwords. This is typically protected by a strong master password that you need to enter to gain access to all your other credentials. These useful pieces of software can assist in mandating a sufficient password complexity, whilst also alerting users to any known detections of a breach of their username or password. They’re typically either free or purchasable for a small price, which are well worth the cost.
If there’s one thing that I would recommend taking away from this blog, its starting to use a password manager.
Our last blog on weak credentials and ATO outlined several steps that users and organizations can take to minimize credential risk. This includes increasing password complexity, using a password manager, using a multi factor authentication (MFA) wherever possible, and implementing a rate limiting service for online services.
There’s other alternative defences that we could also mention with regards to credential stuffing specifically. Use of IP blocklisting can assist in removing addresses that are used by less sophisticated attackers trying to stuff your credentials (who clearly didn’t read our section on the importance of proxies). CAPTCHAs are, let’s be honest, pretty annoying when you log into a service, however can also add an additional layer of complexity and slow down an attacker conducting automated attacks. To improve usability, it may be desirable to only require the user to solve a CAPTCHA when the login request is considered suspicious.