Subscribe / Unsubscribe Enewsletters | Login | Register

Pencil Banner

Sentry MBA makes credential stuffing attacks easy and cheap

Maria Korolov | March 18, 2016
An automated attack tool called Sentry MBA makes credential stuffing attacks simple.

A new report released by Shape Security on Wednesday details how the Sentry MBA tool makes credential stuffing attacks more widely available to cybercriminals.

The traditional "brute force" method of breaking into a user account requires the attacker to try numerous combinations of login ID and password. It's a difficult, time-consuming process. Plus, defending organizations have learned to stop these kinds of attacks by blocking multiple attempts to log into the same account, or multiple login attempts from the same IP address.

A credential stuffing attack increases the attackers success rate and reduces the time it takes to break into accounts by using stolen lists of working login IDs and passwords from other sites, since many people use the same email addresses and passwords as their credentials in multiple locations.

Since the attack go after a different user name with each new attempt, no one account sees a suspicious number of failed logins.

"You have all of these technologies that companies have deployed to try to protect against different forms of attack," said Shuman Ghosemajumder, vice president of product management at Shape Security. "The idea behind all of them is to try to identify patterns in IP address, and the problem is that attackers are now using botnets to bypass those defenses."

According to Shape Security, an average of 1 to 2 percent of stolen credentials from one site will work on a second site, meaning that a list of a million credentials will result in 10,000 hijacked accounts.

To bypass systems that look for multiple attacks from a single IP address, attackers use botnets to make it seem like the login attempts are all coming from different, and normally law-abiding computers.

"If they were coming from the same computer, it would be very obvious to defend against," said Sumit Agarwal, Shape Security's co-founder and vice president of strategy. "If they all came from a country where i don't even do business, that would be easy to defend. But the attack traffic comes during regular business hours, domestic to the country where you do business in, from unwittingly compromised machines belonging to real users."

Finally, to get around CAPTCHA challenges, attackers use optical character recognition.

According to Ghosemajumder, every single CAPTCHA-type system has been shown to be vulnerable to optical character recognition attacks for the past several years.

"Anyone who's using a CAPTCHA to try to keep automation at bay is not even introducing a significant road block," he said.

Putting all these pieces together into a targeted attack against a particular organization is not a simple task for a would-be attacker. Building a botnet, stealing credentials from another site, bypassing CAPTCHAs and other security mechanisms are all difficult tasks. Or they used to be.

 

1  2  Next Page 

Sign up for CIO Asia eNewsletters.