The rise and rise of application fraud

Cyberattacks have evolved since the advent of online transacting almost 25 years ago, with attackers continually escalating and refining their techniques to protect their illicit revenue streams. 

Early brute force attacks guessed passwords in a series fashion until they identified the correct one. This is time-consuming, computationally expensive, and not very effective. Then password lists became popular, and instead of just guessing, attackers would have massive lists of common passwords to guide them and would brute force different versions of them. 

Today, attackers and fraudsters can call upon a sophisticated suite of tools all designed to defeat traditional defences. Most people who use the internet have had an account compromised at some point, and in all likelihood, that was through either phishing or some type of credential stuffing attack.

Attackers can try thousands of credentials very quickly

Credential stuffing can be thought of as a smarter form of brute force where attackers take credentials that have been leaked in one data breach and try them en masse against other websites to find combinations that are reused, so that they can take over user accounts. Attackers do this in an automated fashion, so that they can try thousands of credentials very quickly. 

The use of stolen credentials is one of the most common methods used in observed data breaches. According to Shape Security, credential stuffing aimed at account takeover and other brute force attacks drive fraud and abuse that results in more than $40B of hard losses every year, and up to three times that much in total costs.

The 2019 Verizon Data Breach Investigations Report also states that roughly 70% of observed breaches use stolen credentials. Not all of these are going to be credential stuffing attacks, but it’s likely the majority are. 

At Auth0, we have seen massive trends across our customer base as we’re in a unique position as an aggregator of identity and login data. Today, roughly 67% of our authentication traffic is deemed suspicious, meaning, it looks like application fraud. 

What are the threats?

There are a number of factors that are enabling these credential stuffing attacks that organisations should be looking to secure or fend against.

1. Single-factor authentication – this is when a website just uses a username and password as opposed to multi-factor authentication (MFA). Companies need to take mitigation techniques like MFA that introduce more friction and make them smarter. In an ideal world, a customer should only encounter more friction occasionally when it’s more necessary, rather than every time they log in.
2. Lists of known, breached credentials – if attackers were unable to get a hold of these lists, they would not be able to carry out these attacks. Massive breaches create lists of thousands of usernames and passwords, which attackers will aggregate into mega lists. Some are multiple billions of credentials.
3. Reusing passwords – there are a million statistics that most people tend to reuse their passwords, and if that were not the case, credential stuffing attacks would not work.
4. Readily available tools – these are very easily acquired by attackers to conduct automated attacks. Most websites will identify spikes in traffic from a single source and then block it. However, attackers can get around that by dividing up their attacks among a botnet, meaning they spread out their queries to a victim site across a massive pool of residential IP addresses. There are services where attacks can pay a small amount of money to access tens of thousands of IP addresses.
5. Monetising attacks – none of these tools or lists would exist if attackers were not able to monetise their attacks. They can simply sell the accounts on the darknet, but we also see a number of examples of attackers being creative, such as:
1. Reselling subscriptions to content streaming platforms for less than the retail price.
2. “Sneaker botting” where attackers target a limited sneaker release (or any collectible, really), take over hundreds of user accounts, and buy up the whole supply to sell on third-party marketplaces.
3. Company loyalty programmes and gift cards where attackers target loyalty accounts and drain any points that have been generated. A UK supermarket had to suspend and block 620,000 accounts after stolen username and password combinations were used to take over the accounts and redeem reward vouchers that customers had earned through the loyalty scheme.

The scale of application fraud right now is unbelievable. However, most of the problems that enable credential stuffing attacks have been around for a long time. 

If organisations really want to defend against credential stuffing attacks, you have to think of security in layers. If you see a huge spike in failed logins, that’s a tell-tale sign of a credential stuffing attack. If you’re getting traffic from IP addresses that we know are associated with known threat actors, you might want to block them or institute some kind of CAPTCHA to help mitigate bot activity. You need those first layers of defence.

Good security hygiene, like testing for known, breached passwords among your user base is a second layer of defence. Then MFA is a third layer of defence. If your organisation has all three, you're in pretty good shape against credential stuffing, and you can minimise friction for users by prompting MFA only when an action is deemed suspicious.

Matias Woloski is co-founder and CTO, Auth0