Credential Stuffing 2022: The Latest Attack Trends and Tools - Pentestmag

Credential Stuffing 2022: The Latest Attack Trends and Tools

Credential Stuffing 2022: The Latest Attack Trends and Tools

by Robin Chan

Latest Attack Trends

Credential stuffing attacks are on the rise, as we see more and more cyber breaches and compromised data being released online. A few years ago, if a hacker gained access to a trove of credential information, they often kept it for themselves or offered it up for sale on the dark web. But in 2019 the so-called Collections #1–5 list showed up in hacker forums and torrents, being freely distributed. These collections include a staggering 3.2 billion unique usernames and associated passwords (COMB: over 3.2 Billion Email/Password Combinations Leaked | CyberNews). 

Credential stuffing is a type of attack in which threat actors use automation and lists of compromised usernames and passwords to circumvent authentication and authorization mechanisms, with the goal of account takeover (ATO) and/or data exfiltration. Credential stuffing attacks are not only a more efficient and effective way for attackers to gain unauthorized access than traditional brute force password attacks, but they’re also becoming easier to perpetuate with new tools. The new tools are more advanced and are streamlined for wider audiences, from script kiddies to advanced hackers. Moreover, scripting and automation tools have also become more optimized and streamlined, leading to a higher volume of attacks.

In F5’s 2021 Credential Stuffing Report, they state that the combined threats of phishing and credential stuffing accounted for roughly half of all publicly disclosed breaches in the United States in 2018 and 2019. Because stolen credentials are so valuable, there is still a high demand for them, creating a vicious circle in which organizations face both network intrusions in pursuit of credentials and credential stuffing in pursuit of profits.

The report also pointed out several alarming trends:

  • Between 2016 and 2020, the number of credential spills (events in which a combination of username and password is leaked) more than doubled.
  • Despite increased awareness of cyberattacks, password hygiene remains poor.
  • Organizations take between 120 days (approximately 4 months) and 327 days (approximately 10 and a half months) to detect credential spills.

Most notably, the report states that “in several cases, leaked databases are found on the Dark Web even before the companies detect a cyber intrusion”.

Credential stuffing attacks take advantage of users' proclivity to reuse their credentials across multiple services and applications. Credential stuffing can result in low success rates for attackers, but the use of automation allows attackers to drive high volumes of login attempts originating from different IP addresses, decreasing the likelihood that most traditional security controls will detect the attack as malicious activity. It’s important to remember that strong password hygiene policies and Multi-Factor Authentication (MFA) are the first steps in mitigating credential stuffing attacks.

Latest Attack Tools and Configurations

Credential stuffing attacks rely on four core parts:

  1. The Tool/Software for credential stuffing - some options include:
    1. STORM
    2. SilverBullet
    3. OpenBullet
    4. SNIPR
    5. BurpSuite
  2. The API Config file - some places to look for these are:
  3. The Wordlist/dataset file (leaked logins from datasets), some options or places to look include:
    1. COMB
    2. The Darknet
  4. A Proxy (SOCKS4 or SOCKS5) to avoid timeouts
    1. Proxyscape


Firstly, let’s look at the tools. The tool I have used in the past for lab-based credential stuffing is the Community (free) version of Burp Suite, which comes with most versions of Kali Linux. However, there are many better options on the market today, such as SilverBullet, OpenBullet or STORM which have more features and are easier to set up and deploy.

Next is the “bread and butter” of the attack. The attacker needs an API configuration file to run the credential stuffing attack. These config files can either be hand-crafted, obtained for free, or purchased for a premium to get more advanced functionality. When doing security testing, browse online for API configurations of the company you are security testing for. If you see new/updated API configurations for the company you are testing for, be sure to document it under risk management.

Credential stuffing attacks utilize lists of compromised usernames/password combinations from previous data breaches, which exploits the bad habit of users implementing the same credentials across multiple services. Most attackers will look to any of the free datasets posted online (typically on the Darknet), such as COMB (collection of many breaches).

After configuring the tools and obtaining a dataset to work with, the attacker will most likely utilize a proxy service to mask the source IP of each attack to avoid detection and timeouts. Attackers will use options such as Proxyscape to do this.

Attackers will also throttle their credential stuffing attacks to avoid detection and, as a result, avoid triggering rate limits on API endpoints set by an organization. Because organizations can't distinguish the activities of a single attacker within the mass of traffic, services with normally massive traffic flow may fail to recognize credential stuffing attacks at all.

Once the attacker finds working credentials, the attacker now has authenticated content in which the account is now taken over and the attacker can pivot to extracting more data and abusing authenticated functionality.

How to Mitigate Credential Stuffing Attacks

The first step to mitigating credential stuffing attacks is ensuring that users are utilizing strong credential logins. The risk can either be managed internally by utilizing unique usernames (avoid using email addresses as User IDs), strong password policies and multi-factor authentication, or the risk can be managed externally by shifting the risk onto a third party by utilizing OAuth.

After implementing strong credential authentication, the following tools should also be implemented:

  • Implement Behavioral Analytics
  • Deploy Device Fingerprinting and User Profiling
  • Implement IP Address Deny lists
  • Rate-Limit Non-Residential Traffic Sources
  • Block Headless Browsers

Once the tools and policies to mitigate Credential stuffing attacks have been implemented, the next best step is to perform security testing and auditing against the security configurations you’ve implemented. The best way to tell if you’re vulnerable to an exploit is to try to exploit it yourself and document the results. Please make sure you have the proper permission and documentation prepared before performing any security testing!

About the Author

Robin Chan is a 3rd-year student at Fanshawe College working towards an Ontario College Advanced Diploma in Cyber Security. When he’s not working or in school, he’s learning about various technologies and evolving IT threats, tinkering with tech, playing video games, writing for Bora and watching Studio Ghibli films.

February 17, 2022
Notify of

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Inline Feedbacks
View all comments

© HAKIN9 MEDIA SP. Z O.O. SP. K. 2013