By Richard Arneson
Just last week, sugary sweet giant Dunkin’ Donuts was hit with its second cyber-attack in three (3) months. Both attacks can be filed in a cyberattack category you may not have heard of—credential stuffing. It’s a type of brute force attack in which stolen credentials are used to access other online accounts.
We’ve all signed up for online membership programs, right? Doing so grants you access to coupons, perks and special deals for products and services. Nothing wrong with that. But Credential Stuffing Attacks target these membership programs, which allows hackers to access accounts and get names, email addresses and account numbers associated with the program.
Membership and loyalty programs have been around for years, and their quid pro quo nature benefits both parties involved. You get good deals and the vendor builds a rich database of customers to whom they can market. And because they rarely involve sensitive information, such as credit card numbers or social security numbers, they don’t often raise red flags for customers. They know what signing up results in—offers and information getting pushed to your inbox. And, of course, you can opt-out at any time. So, what’s the problem?
Here’s how credential stuffing works, and why you should care about it
Credential stuffing involving donut shops may sound benign, but attackers are looking to do more than disrupt vendor couponing. Last August, credential stuffing resulted in a $13.5 million bank heist in India.
Through automated tools and scripts available on the dark web, credential stuffers use stolen login information to target particular websites. The login information can stuff websites’ account logins until matches are uncovered. They’re then sold on the dark web advertising that they’ve been verified to work on a particular site.
If you don’t use one (1) of the many password managers on the market, you should. And if you don’t, you’ve probably found yourself using the same login and password for a wide range of sites. And, who knows, you may be using the same login information for online banking that you do for the sandwich shop around the corner. Is getting 2 for 1 patty melts worth more than a hacker gaining access to your financial data? Probably not.
Steps to protect your organization against credential stuffing
If you currently offer a membership or loyalty program, it’s advised that you take a regular look at authentication logs. If you see a large number of authentication attempts from the same IP address, you may be the victim of credential stuffing. Also, if you’re allowing access through Tor nodes, which allow users to remain anonymous, it can be difficult to determine the source. You may want to block access from Tor nodes altogether.
And, yes, it may annoy some customers, but requiring members to periodically reset passwords can help guard against credential stuffing attacks. But be careful with the wording of the communique, or customers may think they’re they a phishing target.
Let these folks take the complexity out of your security posture
To find out how to secure your organization’s network and protect its mission critical data, contact GDT’s tenured and talented engineers and security analysts at SOC@GDT.com. From their Security and Network Operations Centers, they manage, monitor and protect the networks of companies of all sizes, including those for some of the most notable enterprises, service providers, healthcare organizations and government agencies in the world. They’d love to hear from you.