Credential Stuffing in Full Swing During Black Friday & Cyber Monday

As technology gets smarter, so too do cybercriminals. Learn the best ways to protect your customers and your business from credential stuffing.

Nov 25, 2021 - 4 min.

At the turn of the century, as more and more of our lives were moving into the online realm, we were inundated with requests to create online accounts. Maybe you remember services like Friendster and Napster, two of the very first social networking and music streaming sites available. These services may no longer be around, but your login credentials for long-gone services like these are likely floating in the darknet. This would not be a problem in and of itself. However, at the dawn of the digital era, few of us realized the importance of securing the personal data we shared online. So we reused usernames and passwords across services and platforms. And this practice, decades old, has now fueled a lucrative form of cyber attack: credential stuffing.

Unlike other forms of cyber attack, credential stuffing requires little to no knowledge of technology and computing systems. This is what makes it exceptionally dangerous to businesses and customers. Attackers need only purchase a list of usernames and passwords and a toolset (including information like configuration files for online portals and even user support). They can then start harvesting valuable user data.

How exactly does credential stuffing work?

Hit or miss. Credential stuffing is like a game of chance for cybercriminals. And it takes advantage of the weakest link in online security: the password. These types of attacks rely on the (proven) fact that many users do not create unique usernames and passwords for each new online account. As a result, the return on investment is quite high for these cybercriminals since stolen login data for one service often also gives criminals access to multiple other user accounts and even more data.

Using stolen or purchased login credentials (like those mentioned above), criminals rely on a rotating proxy to test hundreds of thousands of credentials across multiple services. Thanks to the ease and speed of automation, they can do this in mere minutes. Not only is it just as easy as it sounds, but many big players have also been successful targets. Many of us even personally experienced the effects of data leaks that compromised our LinkedIn, Yahoo, and Dropbox accounts.

These businesses managed to rebound by investing heavily in image and rebranding campaigns. However, the financial, reputational, and legal repercussions of such extensive data leaks and subsequent data manipulation can potentially cripple businesses with negative press and a loss of customer trust.

How accurate is the risk?

Many companies may opt to forego added security measures. They cite concerns that added security is not only expensive it also detracts from the user experience. However, these companies fail to assess the cost of not investing in robust security measures. And they place a significant amount of trust and responsibility on their customers' understanding of online security. This is not only a mistake but a potentially costly one.

Carnegie Mellon University's Security and Privacy Institute (CyLab) conducted a study analyzing user behaviour during a data breach. The findings were harrowing. According to the assessment of real-world web traffic, a mere 33 per cent of users actually changed their passwords after being informed of a data breach.[1] And that is only for the platform/account directly affected. The likelihood of these users changing their password for all accounts with the same login credentials is likely even lower.

And what exactly is the return on investment for credential-stuffing attackers? Every year, providers and online shops engage in big discount battles and lure customers with fabulous discount promotions, for example, during the Christmas business, on Black Friday or Cyber Monday. However, this attracts not only customers but also cybercriminals. Without the right security measures, the revenue boost can quickly become a reputational curse. According to one study, 64 per cent of businesses experience additional cybercrime on Cyber Monday.[2] And the City of London Police reported £16.4m in losses in the UK resulting from online shopping fraud during the holidays. On Black Friday and Cyber Monday, with consumers sharing and transmitting payment details in huge numbers, it is like shooting fish in a barrel for cybercriminals.[3] So criminals have a significant amount to gain, making these types of attacks so attractive. But businesses have even more to lose.

How can you protect your business and your customers?

If the weakest link is the password, then there's a straightforward solution: go passwordless. It might seem counterintuitive to eliminate a unique user security measure. However, technological advances, especially in mobile devices, have led to far more sophisticated approaches to security:

  • Biometrics:

    For a few years now, mobile devices have been able to collect, store, and read biometric features. That means that digital services can base their security measures on customer information stored on customer devices. Instead of having a push notification or a prompt for a password, apps and web portals can simply be unlocked with a fingerprint or face scan.
  • Multi-factor authentication:

    The only thing better than one security measure is two or more. Two-factor (2FA) and multi-factor authentication (MFA) ensure that hackers who get past the first layer of security are ultimately thwarted before gaining unauthorized access to user accounts and data. After an initial login process (perhaps with a password!), customers are prompted to provide an additional form of identification: a biometric feature, a single-use TAN, a hardware token, etc.
  • Behaviour analytics:

    As mentioned, credential stuffing is facilitated by automation. Means: bots are often responsible for carrying out the attacks. The good news is that anomalies in user behaviour are easily detectable. Information - like keystroke dynamics (how we type), mouse movements, location, and time - collected by user devices and digital services can all be analyzed to determine if a real user or a bot is carrying out a request.
  • Web application firewalls:

    These firewalls cater specifically to HTTP traffic and act as a filter of sorts between a specific application and the Internet. By implementing a web app firewall, companies can block access to the specific content they deem malicious or risky by creating blocklists and allow lists.

Make Passwordless Security a Top Priority

Customers want the best possible security, but they also want comfort and ease. Requiring customers to type in long and complicated passwords to access their accounts provokes them to take shortcuts. And this makes both their data and your business vulnerable to cyber attacks. Instead, rely on methods that users literally have at hand: their mobile devices and fingerprints (or other biometric features). Not only do these security measures substantially facilitate the login and validation process, but they are also nearly foolproof. Added security combined with an improved user experience is what will set your business apart from the competition.

[1] ZDNET, After a breach, users rarely change their passwords, study finds, 1 June 2020

[2] ZeroFox, Cyber Monday Breeds Cyber Crime, 20 November 2017



Nevis Security Barometer #2