The Australian epidemic of Account Takeover attacks

In recent months, a wave of credential stuffing attacks has swept across Australian businesses, leaving compromised accounts and frustrated customers. This surge in malicious activity highlights the need for enhanced cybersecurity measures and a reevaluation of how businesses approach user account protection.

A Case Study in Credential Stuffing

Security researcher Jacob Larsen's investigation has uncovered a sophisticated credential stuffing operation targeting Australian businesses. Larsen's research, detailed in his blog post, reveals the activities of a threat actor known as "Crabby," who has sold compromised Australian accounts since July 2023.

Larsen's findings show:

• The operation began with a threat actor called "Based" selling compromised accounts via Discord and dedicated websites.
• In November 2023, the operation was acquired by "Juicy," a notorious account vendor, and rebranded as "Crabby."
• As of May 2024, over 19,000 compromised accounts from various Australian brands were offered for sale.
• Low-level fraudsters purchasing these accounts have used them to make unauthorised purchases, often targeting high-value items for resale.

This case study exemplifies the sophisticated nature of modern credential stuffing operations and the challenges businesses face in combating them.

The Difficulty of Defense

Defending against credential stuffing attacks has become increasingly challenging due to two key factors: the rise of residential proxies and the effectiveness of single-hit attacks.

Residential Proxies: The Invisible Threat

Residential proxies pose a significant challenge to traditional defense mechanisms. These proxies use IP addresses assigned to real residential internet connections, making malicious traffic appear legitimate. This technique allows attackers to bypass IP-based rate limiting and geolocation restrictions, rendering many conventional security measures ineffective.

The use of residential proxies makes it difficult for businesses to distinguish between legitimate user traffic and automated credential stuffing attempts. Traditional indicators of suspicious activity, such as a high volume of login attempts from a single IP address, become unreliable when attackers can distribute their attempts across a network of seemingly legitimate residential IPs.

Single-Hit Attacks: Precision Strikes

Single-hit attacks represent another evolution in credential stuffing techniques. In this approach, attackers use each stolen credential only once per target site, reducing the likelihood of detection by traditional rate-limiting or anomaly detection systems.

By limiting themselves to a single attempt per set of credentials, attackers can evade many security systems designed to detect repeated login failures. This precision approach means that even if a business has robust rate-limiting in place, it may still be vulnerable to credential stuffing attacks that don't trigger these defenses.

The Mobile API Conundrum

As mobile applications increasingly become the primary interface for users, a new vulnerability in the fight against credential stuffing has emerged. Traditional bot protection measures, which often rely on JavaScript challenges or browser fingerprinting, are rendered ineffective against attacks targeting mobile APIs.

Mobile applications typically communicate with backend services via APIs, bypassing the web browser environment where many bot detection techniques operate. This shift presents several challenges:

1. Lack of JavaScript Execution: Mobile APIs don't execute JavaScript, making it impossible to use browser-based bot detection techniques.

2. Limited Fingerprinting Capabilities: The standardised nature of mobile API requests makes it difficult to distinguish between legitimate user activity and automated attacks based on request characteristics.

3. Increased Attack Surface: The proliferation of mobile apps expands the number of potential entry points for attackers, making comprehensive protection more complex.

4. Authentication Simplification: To improve user experience, mobile apps often implement simplified authentication processes, which can be more vulnerable to automated attacks.

This gap in protection highlights the need for more sophisticated, API-centric security measures that can effectively safeguard mobile interactions without relying on browser-based detection methods.

Framing Credential Stuffing as a Business Risk

It's crucial to reframe the issue of credential stuffing from a purely technical problem to a significant business risk. This shift in perspective allows for a more holistic approach to mitigation and aligns cybersecurity efforts with broader business objectives.

Risk Quantification and Disclosure

Risk quantification plays a vital role in addressing cybersecurity challenges. By applying frameworks like FAIR (Factor Analysis of Information Risk), businesses can:

1. Quantify the potential financial impact of credential stuffing attacks.
2. Prioritise security investments based on risk reduction potential.
3. Communicate the importance of cybersecurity measures to non-technical stakeholders.

Furthermore, the concept of risk disclosure, as mandated by regulations like CPS 234 in Australia, adds another layer of complexity. Businesses must not only protect against credential stuffing but also be prepared to disclose their risk exposure and mitigation strategies.

The State of Credential Stuffing Defense in Australia

Our recent survey of Australian businesses reveals some concerning trends in the approach to credential stuffing defense:

• While 77% of respondents use Multi-Factor Authentication (MFA), only 40% have implemented bot protection measures.
• A significant 15% of companies chose not to respond to questions about their security measures, suggesting potential gaps in protection.
• Just 29% of businesses check credentials against known breaches, leaving a large window of opportunity for attackers using stolen credentials.
• Only 15% of organisations use residential proxy detection, a critical component in identifying and mitigating modern credential stuffing attacks.

These findings highlight a disconnect between the evolving threat landscape and the security measures currently in place at many Australian businesses.

Recommendations for Enhanced Protection

Based on our analysis and survey results, we recommend the following steps for businesses to strengthen their defenses against credential stuffing:

1. Implement Advanced Bot Protection: Deploy solutions that detect and mitigate bot attacks, including those leveraging residential proxies.

2. Enhance Mobile API Security: Develop security measures for mobile APIs, focusing on anomaly detection and behavioural analysis rather than browser-based techniques.

3. Adopt Risk-Based Authentication: Implement dynamic authentication mechanisms that adjust based on the assessed risk of each session or transaction.

4. Utilise Breached Credential Databases: Regularly check user credentials against known breach databases and enforce password changes for compromised accounts.

5. Implement Residential Proxy Detection: Invest in technologies that identify and mitigate traffic from residential proxy networks. This forms a key component in combating modern credential stuffing attacks.

6. Apply Advanced Rate Limiting: Utilise device fingerprinting and other identifiers beyond IP addresses to implement more effective rate limiting, particularly for single-hit attacks.

7. Employ Contextual Security: Implement security measures that consider factors such as user behaviour patterns, device characteristics, and historical usage to identify anomalies indicative of credential stuffing attempts.

8. Quantify and Communicate Risk: Use frameworks like FAIR to quantify the potential impact of credential stuffing attacks and communicate this risk to stakeholders.

9. Implement Continuous Monitoring: Deploy real-time monitoring systems that detect patterns indicative of credential stuffing attacks, and continuously adapt defenses based on emerging threats.

These recommendations address the evolving nature of credential stuffing attacks, including the challenges posed by residential proxies and single-hit attempts. They also account for the limitations of traditional defense mechanisms and the need for a risk-based approach to security.

By implementing these measures, businesses can enhance their resilience against credential stuffing attacks, protect user accounts, and maintain customer trust. The fight against credential stuffing requires a multi-faceted approach that combines technological solutions with risk management strategies. As the threat landscape continues to evolve, businesses must remain vigilant and adaptive in their defense strategies.