Credential stuffing: Bigger and badder than ever

Credential stuffing has been around since 2014 enticing cybercriminals with a hefty return on investment and usage has increased of late as even more payment account credentials are stolen and sold on the dark web.

Recorded Future just issued a report that looks at the economic environment surrounding credential stuffing and some of the tools and actors behind the activity to help explain its effectiveness and popularity. What has essentially happened over the last five years making it such a potentially disastrous  situation for the victims is credential stuffing has moved from being a somewhat manual, peer-to-peer enterprise to one that is fully automated.

“In older models, buyers received their wares only after the seller manually approved the deal and delivered the purchased data. Moreover, sellers had to maintain the listings and communicate with the buyers personally. However, with the advent of automated shops, the need for manual engagement was eliminated and the business of compromised accounts fully transitioned from peer-to-peer dealings to a much more democratized, open-to-everyone enterprise,” the report stated.

A higher level of automation also means more victims. The latest batch to hit the headlines were Chipotle customers who took to Twitter and Reddit to say their payment card information has been hacked and is being used to make fraudulent purchases at the Mexican food chain. Chipotle execs said its system has not been breached and the people were victims of credential stuffing.

From the criminals point of view the best change wrought by the system becoming automated was the drop in price for valid credentials due to millions of additional records going on the market which, in turn, prodded more malicious actors to move into the field.

“Although the competition quickly brought the average price of a single compromised account from over $10 down to a mere $1 to $2, the overall profitability of credential stuffing attacks increased significantly through sheer volume,” the report said.

Besides automation, the other technological leap boosting credential stuffing was the advance in account-checking software tools that allowed a criminal to try and brute force accounts across several companies.

Recorded Future called out:

  • STORM – a tool offered for free, but accepting donations.
  • Black Bullet - first appeared on the dark web in early 2018 and likely was created by the actor Ruri. It only allows for single company attacks.

Price: Between $30 and $50

  • Private Keeper - developed by the actor deival909 and is by far the most popular account-checking software in the Russian-speaking underground.
    Price: From 49 Russian rubles (approximately $0.80)
  • SNIPR -  developed by the threat actor Pragma and supports both online credential stuffing and offline brute-forcing dictionary attacks.
    Price: $20
  • Sentry MBA - with over 1,000 configuration files available, is one of the most prominent and readily available examples of account-checking software on the dark web.
    Price: Between $5 and $20 per configuration file
  • WOXY - email checker allows criminals to verify the validity of email accounts, scan email content for valuable information (like gift card codes or online subscriptions to streaming services, travel websites, and financial institutions), and hijack valid accounts by resetting login passwords automatically.

Price: was $40, but recently shared and is now free.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.