The State of Credential Stuffing and the Future of Account Takeovers.
1. Jarrod Overson @ Shape Security
Where do account takeovers go from here?
THE STATE OF CREDENTIAL STUFFING
2. CREDENTIAL STUFFING STEP BY STEP GUIDE
1 Get Credentials
2 Automate Login
3
4
Defeat Automation Defenses
Distribute Globally
cre·den·'al stuff·ing
/krəˈden(t)SHəl ˈstəfiNG/
The replay of breached username/password
pairs across sites to find accounts where
passwords have been reused.
3. 2 Billion
The record number of attacks
Shape has blocked in one day.
Credential Stuffing by the numbers
A problem that has exploded.
3 Billion
The largest recorded attack
campaign against one URL for
one company in one week.
1 Billion
New credentials spilled in 2018.
Jarrod Overson
7. MANUAL WORK AUTOMATION
Sufficient when
value is high
Can’t scale when
value is reduced
Can’t scale when
cost is increased
Sufficient when
value is low
8. If there are no defenses in place, the cost is nearly zero.
valuecost
Any attacker can use existing attack tools, strategies, and exploits.
Jarrod Overson
9. Any defense increases the cost by forcing a generational shift.
valuecost
Generation 1
The cost of entry to each new generation is high at the start.
Jarrod Overson
10. Enough defenses tip cost vs value in your favor
valuecost
Generation 1
Generation 2
Generation 3
This is where you want to be.
Jarrod Overson
11. The cost of entry for each generation decreases over time.
valuecost
All technology gets cheaper as it becomes better understood.
Jarrod Overson
12. While the value of successful attacks only goes up.
valuecost
Jarrod Overson
20. $0
2.3 billion credentials
$0-50
For tool configuration
$0-139
For 100,000 solved
CAPTCHAs
$0-10
For 1,000 global IPs
100,000 ATO attempts can be tried for less than $200 USD
<$0.002
per ATO attempt.
Jarrod Overson
21. $2 - $150+
Typical range of account values.
Identifying our rate of return
0.2% - 2%
Success rate of a typical credential
stuffing attack.
The rate of return on a credential stuffing attack is 100% on the low end
and 150,000%+ on the high end.
$0.002
Cost per individual attempt.
30. GET / HTTP/1.1
Host: localhost:1337
Connection: keep-alive
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/
*;q=0.8
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_5) AppleWebKit/537.
(KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36
Accept-Encoding: gzip, deflate, sdch
GET / HTTP/1.1
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X) AppleWebKit/534.34 (KHT
like Gecko) PhantomJS/1.9.8 Safari/534.34
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Connection: Keep-Alive
Accept-Encoding: gzip
Accept-Language: en-US,*
Host: localhost:1337
Defense: Header Fingerprinting & Environment Checks
31. Iteration 4: Scriptable Consumer Browsers
Defense: Browser Fingerprinting
Like Selenium and Puppeteer
32. Iteration 5: Randomizing Fingerprint Data Sources
FraudFox & AntiDetect
FraudFox is a VM-Based
anti-fingerprinting
solution.
AntiDetect randomizes
the data sources that are
commonly used to
fingerprint modern
browsers.
33. Behavior Analysis
Naive bots give themselves away by
ignoring normal human behavior.
Humans don't always click in the upper left
hand corner and don't type out words all at
once.
Capturing basic behavior can make naive
automation easy to knock down.
Defense: Behavior Analysis for Negative Traits
34. Iteration 6: Behavior Emulation
Browser Automation Studio
BAS is an automation tool that
combines CAPTCHA solving,
proxy rotation, and loads of
other features with emulated
human behavior all driving a
real Chrome browser.
35. Validating Fingerprint Data
Good Users don't lie much.
Attackers lie a lot. They use a
handful of clients but need to
look like they are coming from
thousands.
Those lies add up.
Defense: Browser Consistency Checks
36. Iteration 7: Use real device fingerprints
Using Real Fingerprints
Fingerprint Switcher allows a
user to cycle through real
browser's fingerprints,
reducing the number of lies
present in the data.
37. The direction these attacks are moving in is clear.
The end game is flawless emulation of human behavior and real devices on home networks.
We call these "Imitation Attacks"
Imitation attacks indicate sophisticated fraud from persistent attackers.
Imitation attacks go back and forth between attacker and defender trying to
drive the attack traffic to be indistinguishable from legitimate user traffic.
Not all automation is an imitation attack, not all imitation attacks are automated.
39. First, let's clear something up.
2FA does not stop credential stuffing.
The point of credential stuffing is to find valid accounts.
Credential stuffing, even with 2FA, still results in valid accounts.
2FA stops automated account takeovers.
48. Logging in
Enter 2FA Token
This time the risk score is too high. Time for additional auth.
49. Enter 2FA Token
Enter 2FA Token
072344
But Barry's used to this flow and doesn't see a problem.
50. Enter 2FA Token
Enter 2FA Token
072344
072344
The script grabs the token and funds are transferred.
51.
52. Photo
Extensions looking for new owners are easy to come by.
It started with ad fraud, moved to cryptomining, and now includes ATOs.
53. Photo
Not good enough? Build your malware directly into the target app.
Popular open source package exploited to inject malicious code into mobile app directly.
55. The value in our accounts is not going away.
As we raise the cost of credential stuffing there is greater incentive to diversify attacks.
Valid Accounts
Credential Stuffing ???
56. Genesis is an early example of the next generation.
Malware that resides at the host to scrape account and environment details.
67. Malware that scrapes, learns, and imitates its host users is what's next.
We've started seeing the signs in ad fraud.
68. Fraud is a human problem, not a technical problem.
Advanced credential stuffing is sophisticated fraud. Treat it as more than simple
automation. Talk to your fraud teams and work from the scams backward.
Imitation attacks are designed to blend in. If you don't think you have a problem,
look deeper until you know you don't have a problem.
Attackers are economically driven, we need to attack the economics. Simple
solutions are only temporary. Every defense will fail if the value is still there.
There are no silver bullet solutions against humans.