Credential stuffing attack: What is it and how to stay protected?

  • Credentials stuffing attack is a type of cyber attack where attackers use usernames-passwords combinations leaked at other sites to gain illegal access on user accounts.
  • Attackers attempt to use the stolen set of credentials against multiple websites in order to compromise and take full control of user accounts.

What is it – Credentials stuffing attack is a type of cyber attack where attackers use usernames-passwords combinations leaked at other sites to gain illegal access on user accounts.

  • Attackers steal credentials that are leaked at other sites or sold at underground forums and try to brute-force those credentials into various other sites in an attempt to gain unauthorized access to the user account.
  • Attackers attempt to use the breached credentials against multiple websites in order to compromise and take full control of user accounts.
  • Before that, attackers use bots, computer programs, toolkits, or software to automatically test the list of breached credentials.

Examples of Credential stuffing attacks

Example 1 – Intuit, a victim of credential stuffing attack

In February 2019, the financial software company Intuit learned that TurboTax account users’ tax return information was compromised in a credential stuffing attack. The financial company disclosed that an unauthorized party accessed TurboTax accounts by using the username-password combination obtained from a non-Intuit source.

The unauthorized party who gained illegal access to TurboTax user accounts obtained information contained in the previous year’s tax return or current tax return in progress.

  • The exposed information included users’ names, Social Security numbers, addresses, dates of birth, driver’s license numbers.
  • The compromised information also included users’ financial information such as salary and deductions.

Example 2 – Dunkin’ Donuts suffered a credential stuffing attack

On January 10, 2019, Dunkin’ Donuts suffered a credential stuffing attack which led to attackers gaining unauthorized access to some of its customers’ accounts. Attackers used user credentials leaked at other sites to gain access to DD Perks rewards accounts.

DD Perks account includes information such as users’ first and last names, email addresses (also used as usernames), 16-digit DD Perks account number and DD Perks QR codes.

Once attackers gained access to customers’ Dunkin’ Donuts accounts via credential stuffing attack, they have put up the breached accounts for sale. The accounts are then bought by other persons who use the reward points at Dunkin’ Donuts shops to receive free beverages and other discounts.

It is to be noted that this is the second credential stuffing attack that Dunkin’ Donuts has experienced in the last three months. The first credential stuffing attack occurred on October 31, 2018.

How to stay protected?

  • In order to stay protected from credential stuffing attacks, it is best to never reuse the same passwords across multiple sites.
  • It always recommended to use unique passwords for each account and periodically rotate passwords.
  • It is further recommended to use strong, complex, and unique passwords that are difficult to crack.

It is best to use two-factor authentication while login and log out after the session is complete.

The teams at Norton, Symantec and LifeLock are fighting online crime 24x7x365

Norton teams up with Symantec’s Security Technology and Response (STAR) division, which is a global team of security engineers, virus hunters, threat analysts, malware analysts, and researchers that provide the underlying security technology, content, and support for all Symantec corporate and consumer security products. Our team of global threat analysts operates a follow-the-sun-model to provide 24×7 coverage to Symantec customers to track the latest developments on the threat landscape. Analysts continuously monitor a worldwide network of Symantec protected machines as well as a large-scale, global network of honey pots (machines designed to lure attackers). The group is Symantec’s and Norton’s eyes and ears when it comes to surveying and keeping a finger on the pulse of the Internet security threat landscape. With this partnership, we are able to provide you the latest, breaking news about all threats on the Internet landscape. Not only do we notify you of the latest outbreaks to be aware of, we also want to educate you about how to stay safe against these threats.

Some years ago, traditional antivirus was all that was needed to protect a computer from malware. However, with the huge shift in the threat landscape over the last few years, antivirus is just not enough to stay protected today. To address this, Norton has developed a collaborative partnership with the STAR team in order to alert readers as soon as a malware outbreak, data breach, fake app outbreak or other security incidents as they happen.

Trojan Attack Masked as Payment Confirmation

A sophisticated attack is leveraging the ability to evade detection with the use of a rapidly changing Trojan attack pattern, according to researchers at GreatHorn.

The research team identified what it called a widespread Trojan pattern that uses multiple different subject lines, email content, email addresses, display name spoofs and destination URLs to disguise itself as a confirmation on a paid invoice.

The lack of consistency found in a typical volumetric attack makes this particular threat sophisticated because it is more difficult for email security tools to identify and block, researchers said.

The researchers have not been able to identify any patterns to the targets in terms of specific departments or functions within an organization. In addition, the Trojan appears to be using email addresses from compromised accounts in some cases, while in others the threat spoofs the name of an employee in the target company or uses an unrelated name combined with the email address of a compromised account.

Buried in a link that automatically downloads a Word template using a .doc extension, the Trojan attack has three distinct waves that have been observed since the researchers first identified the attack earlier this week.

What is thus far understood about the Trojan is that the initial point of infection is via a phishing email sent to employees, often with a display name of a fellow employee, but using an external email address from what appears to be one of several compromised accounts, according to the research team.

Also notable is that while the subject lines vary, each variation references “receipt” or “invoice.” Some examples of subject lines that have been seen include: “Transaction for Your Invoice 4676,” “Payment receipt bill 483477,” “Receipt for Invoice 23649” and “[Internal name spoof] Payment receipt 02094924.”

Interestingly, the emails from which the threat is distributed appear to be legitimate, compromised accounts, primarily from South American companies, though the sender display name is typically an arbitrary one.

In a small handful of attacks, it appeared that they were from another employee within the recipient’s organization, thus researchers described them as highly targeted with customized subject and display names.