American Banker recently reported on a massive credential stuffing attack that resulted in 35,000 PayPal accounts being breached. The attack exposed personal information including Social Security numbers and phone numbers.
Credential stuffing attacks utilize stolen user login IDs and passwords from various sources, including phishing attacks and credential-stealing malware, to programmatically attempt to log in to large numbers of user accounts. Even if the attacker steals credentials for one website, credential stuffing is often successful because people use the same credentials across multiple sites. This means the attackers can conduct phishing attacks that mimic less sensitive web sites than financial ones like PayPal, then use those credentials to access more sensitive websites and steal money or more sensitive information.
While PayPal said it was unclear how the credentials used in this attack were obtained, they did say they have no evidence they came from PayPal systems and were “likely” from phishing.
PayPal didn’t report that any users lost money from the breach, but given the sensitivity of the personal information stolen, the attackers have gained some key tools for conducting follow-on attacks that could allow them to cause financial harm to the victims in the future.
How Can Companies Stop Credential Stuffing Attacks?
Credential stuffing is the culmination of a chain of attacks that each attempt to steal more and more sensitive information. The initial credentials can be obtained in various ways. In addition to phishing, credentials can also be purchased on the dark web or obtained in data theft operations against less secure targets. These credentials can then be used en masse in credential stuffing attacks against a wide array of web sites. Because so many accounts in so many places can be attacked in an automated fashion, at least some successes are almost guaranteed. With access to personal accounts, the attacker now has a database of personal information that they can use to conduct more targeted attacks with more valuable payouts.
Because there are so many stages of these attacks and multiple ways that the credentials can be obtained in the first place, there’s no silver bullet solution to completely prevent them. For instance, two-factor authentication can often thwart the credential-stuffing stage of the attack, but this occurs after credentials have already been stolen. Using unique passwords for every account can also be effective. Several measures are required to secure customer data from other types of data theft attacks on servers.
All this makes the problem of protecting against these attacks sound daunting – and it is – but the key factor is that many of these attacks are possible because an earlier phishing attack was successful. ConcealBrowse’s advanced phishing protection sits at the beginning of the attack chain, the browser, and prevents attackers from obtaining credentials in the first place.
Head Off Credential Theft with Advanced Phishing Protection and Dynamic Remote Browser Isolation
Click here to sign up for a free ConcealBrowse account to see for yourself how ConcealBrowse can protect your company and employees from phishing attacks and malware. If the attackers can’t get your users’ credentials now, they can’t use them to steal sensitive data across the Internet later.
Written by: Conceal Research Team