You have to hand it to cyber-criminals. They keep finding new and innovative ways to do the same old thing: rob you.
And what they are after is the coin of the realm in today’s worl: Data. It’s like a bucket of gold with a “Take Me” sign on it. And worst of all, you may not even know it’s happening.
Credential Stuffing. What Is It?
It’s a relatively new form of cyber attack where hackers assault a targeted website with stolen logins, and in doing so, they attempt to gain access to online accounts. This gives them access to your Cloud Data, your databases, financial info and more.
Worse, this new cyber infiltration even has the big boys heads spinning. A perfect example is Yahoo. They had two of the largest credential thefts in history. And you know that if a sophisticated company like Yahoo can be hacked, you can easily be hacked.
However, you can protect yourself, and in some cases, do it better than the big guys. So think carefully about what you can learn here. Credential Stuffing is something you cannot afford to overlook and you really must look out for it.
How It Works
It’s not all that complicated to understand. Hackers enter a huge number of emails, passwords and usernames and barrage a targeted website until one or some of them stick. On a massive level it can be akin to the old, try and try again, until you get in. Once they do gain access they are free to roam around an existing account until they find what they are looking for.
Can This Infiltration Method Apply to You?
It could. Credential stuffing is now the number one method of cyber attack. A Verizon Data Breach Investigations Report of 2017 revealed a frightening statistic: 81% of surveyed organizations had hacker related cyber breaches where an unauthorized person was able to break in using stolen or weak and easily accessed passwords. This percentage is a huge increase from their 2016 report that showed only 18% had some type of data breach infiltration. Those percentages look bad but the numbers they represent are even worse. Three billion records were leaked on the dark web last year. In fact, when we have gotten a chance to talk to the Cyber security pros, they admit that credential stuffing has quickly outpaced other methods and has become their number one priority.
How Do They Do It?
There are about 4 common ways cyber thieves and hackers get their hands on your info.
- They steal your databases. That’s the easiest thing for them to do. Usernames and passwords are readily available on the dark web. If you are unfamiliar with the dark web it is the place where anything from illegal drugs to hit men can be found. Studies have shown a veritable supermarket of passwords and logins for sale there. They are placed there for sale in bulk after they are stolen from companies like Dropbox. Hackers or other nefarious agents can buy, sell and trade these emails that offer access to millions of accounts that they can use in their planned attack.
- Leaks. Leaks happen more often than you may think. For instance, they might occur when data is transferred either internally or externally to a data center. These leaks are normally accidental and unintentional but they are a prime source of names and password theft.
- Going Phishing. Spamming targets with emails that connect to phishing links are not as common, but it happens enough to make it worth your attention. When a phisherman lands you, he can get plain text usernames and logins which are much easier to hack and use them to get access to your data.
- Botnets Are Another Way of Infiltration. Botnets and browser injectors increase the ability of attackers to breach your data security. Simply put, they gather and amass login data each time a user enters their information into online fields. Once in, the botnets are implanted into the compromised browser and automatically capture shared information. These methods are easily and often overlooked because a compromised browser doesn’t know the botnet is even there.
What, If Anything Can These Infiltrations Do to You?
Even the big boys like Sony, Amazon, Ebay have been reeled in and breached by cyber criminals. They get in often by exploiting an employee’s personal communications, contacts and friends lists. This allow them to easily jump over any computer security firewall.
How Bad Could It Get?
Credential Stuffing will impact more than individuals because the individual users often gives access to hackers to other data. Joe@businessname.com, once uncovered will often open the company to numerous break-ins because if there is a Joe@, there will be a Betsy@. And even though you may have policies in place that forbid workers from using their devices to sign up for online services, as most parents know, saying no is usually not enough. People are people, and it isn’t always in their interest to keep corporate data safe, or they may not realize that infiltration is a real problem. If they get hacked, all your company data will be at risk and that – in addition to everything else – can become a PR nightmare.
What You Can Do
These are a few quick tips that can help you increase your cyber security. These tips were shared with us by the best cyber security professionals in the world, so be sure to implement them right away.
- Redo your passwords and make them tough. Yes, most of us are lazy and don’t want to memorize some random series of letters numbers and symbols, but that is the most important thing you can do. Make sure you never duplicate any of your passwords.
- Enable Two-Factor Authentication – This is a quick, easy and smart move and a worthwhile second layer of security. It requires the logger to receive an additional security code sent to their device to gain access.
- Use a Password Manager – Using a program like LastPass or PassPack allows you to create a unique and strong password for all online accounts inside a secured online password vault. This can relieve some pressure on employees who have to memorize their passwords or codes.
Last but Not Least
Find yourself a cyber-security expert to go through your platforms to uncover any compromised logins. And make your employees aware of credential stuffing and implement a plan to require employees to use unique passwords and two-factor authentication.
If you would like more information, contact LP3. We will be glad to help you make an informed decision on cyber security for your business or organization.
Scott Lawler is CEO of LP3 and provides enterprise cyber security architecture advice to government and commercial clients.