- 60 percent of users employ one or more passwords across multiple accounts
- Cyber criminals exploit user negligence to steal credentials and attempt logins across various sites
- The increasing prevalence of credential stuffing attacks correlates with an increase in leaked credentials available on the dark web
- Many reports received by the FBI indicate the use of botnet credential stuffing
Credential stuffing attacks accounted for the greatest volume of security incidents against the financial sector, at 41 percent of all incidents in the past three years, according to a private industry notification from the FBI.
“When customers and employees use the same email and password combinations across multiple online accounts, cyber criminals can exploit the opportunity to use stolen credentials to attempt logins across various sites,” the bureau says.
Citing a 2020 survey conducted by a data analytics firm, the FBI notes that nearly 60 percent of respondents reported using one or more passwords across multiple accounts.
“When the attackers successfully compromise accounts, they monetize their access by abusing credit card or loyalty programs, committing identity fraud, or submitting fraudulent transactions such as transfers and bill payments,” according to the notice.
Since 2017, the agency has been receiving an increasing number of reports on credential stuffing attacks against US financial institutions – including banks, financial services providers, insurance companies, and investment firms – collectively detailing nearly 50,000 account compromises.
Unsurprisingly, the rise in credential stuffing attacks correlates with an increase in leaked credentials available on the dark web.
“Affected companies experienced downtime, loss of customers, and reputational damage as well as losses associated with customer notification and system remediation costs,” says the agency, citing a study by a data analytics firm.
Data from another research group indicates that credential stuffing attacks cost an average of $6 million per year, not counting costs associated with fraud.
In a key finding, many of the reports received by the FBI indicated the use of botnet credential stuffing.
“Although most credential stuffing attacks have low success rates, cyber actors’ use of botnets to conduct a massive scale of automated login attempts in a short timeframe enabled them to discover multiple valid credential pairs,” according to the notice.
The FBI recommends the following precautionary measures to mitigate the threat, underscoring that it’s best to apply as many as possible in tandem, not individually:
- Alert customers and employees to this scheme and actively monitor accounts for unauthorized access, modification, and anomalous activities
- Advise customers and employees to use passwords they don’t for any other accounts and to change their passwords regularly
- Direct customers to change their usernames and passwords upon identification of account compromise or fraud
- Validate customer credential pairs against databases of known leaked usernames/passwords
- Modify internet banking login page responses to remove indicators that reveal the validity of credential pairs by issuing the same error message and response time when both username and password are incorrect or only the password is incorrect
- Establish MFA for creating and updating account information, especially for bank, insurance, and trading accounts, as well as for providing initial account access to financial aggregator services
- Use anomaly detection tools that identify an unusual increase in traffic and failed authentication attempts
Bitdefender Network Traffic Security Analytics (NTSA) detects advanced network-based attacks in real-time and triggers autonomous incident response. Using a combination of machine learning and behavior analytics with insights from Bitdefender cloud threat intelligence, NTSA gives IT reps the much-needed threat context to detect any network-borne anomaly, from external malice to insider negligence.