Credential stuffing is a type of cyberattack that uses credentials obtained from previous breaches to take over existing accounts on other web or mobile applications. This is a type of brute force attack that relies on the fact that many people use the same usernames and pa sswords on multiple sites. For a more in-depth description of credential stuffing and its impacts, refer to our piece on how credential stuffing works. This article looks deeper into the anatomy of a credential stuffing attack and examines the tools of the trade.
Credential stuffing attacks include the following key steps:
- An attacker obtains leaked credentials (i.e., a username and password pair) from prior cyberattacks.
- The attacker uses a software tool to automate the testing of stuffing these credentials against various websites and mobile applications.
- If a credential set is successfully authenticated, then it is flagged as a valid account.
- The attacker can now take over the account and extract any value, including personally identifiable information, credit card information, and stored value (such as loyalty points), as well as access email, make fraudulent purchases, and resell the account.
Only a small percentage of the credentials tested are valid, typically between 0.1 and 2 percent. Because of the enormous number of credentials tested (typically in the hundreds of thousands to millions), this becomes a significant problem for the website owner.
This article focuses on step 2 of this process: how the attacker configures and tests their software tools to “stuff” the credentials. The second part of this article will go into step 4, launching the attack and overcoming the victim’s defenses.
Obtaining Credentials for Stuffing
One only has to search for “combolist for sale” on the public Internet to uncover the ecosystem built on buying and selling breached credentials. Beneath the surface, on the dark web, is a thriving market as well, including combolists-as-a-service, where bad actors use a subscription model to continuously provide freshly stolen credentials.
The price of credentials varies from free to tens of dollars, based on freshness, seller reputation, and competitive pressure. The F5 Labs 2021 Credential Stuffing Report goes into detail on the causes and magnitude of these spilled credentials.
Credential Stuffing Attack Tools
Several tools are available to orchestrate the credential stuffing once the attacker obtains the combolists, proxies, and potentially the CAPTCHA solving service. One such tool is OpenBullet, which is open source and easily available for download on the Internet. Attackers can use OpenBullet to create attack scripts, or they can purchase prebuilt scripts on the dark web. The following subsections describe how to create a basic attack script using OpenBullet’s intuitive visual editor.
Loading the Combolist
In this step, we browse to the list of credentials, or combolist, we will use in the attack. A combolist is simply a list of usernames and passwords separated by a character, such as a colon. For example:
- Testuser1:testpasseword1
- Testuser2:testpasseword2
- Testuser3:testpasseword3
Figure 1 shows how shows how to load the credential pair combolist into the OpenBullet configuration.
