F5 study: Incidents with login data doubled since 2016. Credential Stuffing Report extensively investigates credential abuse. The number of annual credential-related incidents nearly doubled from 2016 to 2020. This is shown by the current Credential Stuffing Report from F5.
The largest study of its kind found a 46 percent decrease in the number of stolen credentials over the same period. The average amount of data fell from 63 million records in 2016 to 17 million last year. The mean size increased to 2020 percent in 2 (234 million records) compared to 2019 and was the highest since 2016 (2,75 million).
Captured compromised credentials
Credential stuffing exploits large amounts of compromised username and / or email address and password pairs. According to the FBI, this threat accounted for the largest share of security incidents in the US financial sector between 2017 and 2020 (41%).
"Attackers have been collecting billions of credentials for years," said Sara Boddy, senior director of F5 Labs. “Stolen credentials are like an oil slick: once spilled, they are very difficult to clean up because unsuspecting users don't change them and few companies use credential stuffing solutions. So it is not surprising that during this study period we observed a shift in the main attack type from HTTP attacks to credential stuffing.”
Sander Vinberg, threat research evangelist at F5 Labs and co-author of the study, urges companies to be vigilant. “Interestingly, in 2020 the total volume and size of credentials spied decreased. However, it is highly unlikely that security teams will win the battle against data theft and fraud. At least the hitherto chaotic market seems to be stabilizing with increasing maturity. "
Bad password storage - more sophisticated attackers
According to the study, insufficient password retention remains a major problem. Although most companies do not disclose their password hashing algorithms, F5 experts were able to investigate 90 specific incidents.
In the past three years, 42,6 percent of the stolen access data had no protection and the passwords were stored in clear text. This was followed by access data with an incorrectly defined password hash algorithm SHA-1 (20%). In third place was the bcrypt algorithm (16,7%). The controversial MD5 hash algorithm surprisingly only resulted in a small part of the stolen login data.
Attackers use "fuzzing" techniques
It is also noteworthy that attackers are increasingly using "fuzzing" techniques in order to optimize success in exploiting access data. With fuzzing, weak points are found by repeatedly testing the parser with modified inputs. According to F5, most fuzzing attacks take place before compromised credentials are released. Accordingly, this practice is more common among experienced attackers.
Detect theft
In the 2018 Credential Stuffing Report, F5 reported that it took an average of 15 months for credentials to become public knowledge. The average time to discover incidents is currently only eleven months. However, this result is skewed by some incidents where the time span was three years or more. The mean time to detect incidents is 120 days. However, stolen data is often discovered on the dark web before companies report the incident.
The dark web in the spotlight
The publication of a theft is typically related to the appearance of credentials in dark web forums. For the 2020 Credential Stuffing Report, F5 analyzed the period between the theft of credentials and their publication on the dark web.
The researchers performed a historical analysis of a sample of nearly 9 billion credentials from thousands of data breaches, known as "Collection X". The login details were posted in dark web forums at the beginning of January 2019.
Fortune 500 customers among the victims
F5 compared these credentials to the usernames used in credential stuffing attacks against customers six months before and after the public disclosure date. The four Fortune 500 customers included two banks, a retailer, and a grocery company. With the help of Shape Security technology, the researchers were able to trace stolen credentials from theft to sale to exploitation.
Over the course of 12 months, 2,9 billion different credentials were used for both legitimate transactions and attacks on the four websites. Almost a third (900 million) of the credentials were compromised. The stolen credentials appeared most frequently in legitimate human transactions with the banks (35% and 25% of the cases, respectively). 10 percent of the attacks were targeted at the retailer and around 5 percent at the grocery company.
Five stages of abuse
The 2020 Credential Stuffing Report identified five phases in which login data was misused.
- Quietly and secretly: Compromised credentials were used clandestinely up to a month before a public announcement. On average, each access authorization was used 15 to 20 times a day in attacks on the four websites.
- Strong increase: In the 30 days leading up to the release, the credentials circulated on the dark web. More cyber criminals are using them, which is why the number of attacks per day has increased steadily.
- The culmination: After the access data was published, they tried out “script kiddies” and other amateurs on the largest websites. The first week was particularly violent, with each account being attacked an average of over 130 times per day.
- The decline: After the first month, F5 saw a new level of around 28 attacks per username per day. Interestingly, it's higher than the initial stats of 15 attacks during the first phase. This is due to inexperienced attackers who are still using “out of date” information.
- Reuse: After carrying out “credential stuffing” attacks on many websites, a subset of criminals set about repackaging valid credentials and reusing them.
Minimizing the threat
"Credential stuffing will remain a threat as long as users have to log into accounts online," added Boddy. “The attackers will continue to adapt their attacks to fraud protection techniques, creating a great need and opportunity for adaptive, AI-based controls on credential stuffing and fraud. It is impossible to spot all attacks immediately. However, it is possible to make attacks so costly that scammers will give up. Because even for cyber criminals, time is money. "
Directly to the report at F5.com
Via F5 Networks F5 (NASDAQ: FFIV) gives the world's largest companies, service providers, government agencies and consumer brands the freedom to deliver any app securely, anywhere, with confidence. F5 offers cloud and security solutions that enable companies to use the infrastructure they choose without compromising speed and control. Please visit f5.com for more information. You can also visit us on LinkedIn and Facebook for more information about F5, its partners and technologies.