The Tools That Automate Credential Stuffing & Account Takeover

In the general field of cybersecurity, there’s a very specific threat that’s causing dread among network protectors and others with skin in the game of warding off hackers from enterprise systems. It’s called credential stuffing, and it has become entirely too easy for hackers to do. With that in mind, companies are scrambling to figure out how to deal with the onslaught of malicious activity that uses credential stuffing as a key tactic.

What Is Credential Stuffing?

First of all, it's important to understand what the security community means when they talk about credential stuffing.

People who talk about this process are typically referring to automation tools that help crack websites and systems by reusing people's passwords and identifiers in different environments.

In other words, hackers know that people often use the same password for multiple sites and accounts, so when they get an initial password through a breach or cyberattack, they take that information and put it into a botnet or other automated system, and the technology combs through different sites to find other opportunities where those usernames and passwords can unlock doors. Hackers are “stuffing” those keywords into one login after another, looking for that “open sesame” result.

The problem is that powerful automation tools are being used to achieve unauthorized access and even steal people's identities. Credential stuffing is becoming a major problem, and companies are turning to consultants and experts to try to figure out what to do about it.

The Techniques and Data Being Sought

Again, with credential stuffing, hackers will take any initial username and password data obtained from somewhere, such as a less secure web environment. Maybe someone has a very basic account with a peripheral marketing website, and nobody thought to secure that website well because there's no sensitive data there. But if the hacker gets that password, and someone uses the same password for their banking or their employee accounts or anything else important, credential stuffing is going to allow the hackers to get in.


Some of the tools hackers are using were actually built for white hat security work.

Sentry MBA is a good example, where the maker of the software actually provides disclaimers stating that they're not responsible for malicious uses. Sentry was often initially used for penetration testing to find the weak points in network systems through simulation. Now, hackers are using it for credential stuffing. There is also speculation that similar tools like Vertex can do the same thing.

Another tool commonly used is OpenBullet, also originally developed as a web testing suite. Security workers are lamenting how this software, which was made for innocuous testing uses, is being abused to beam illicit information into hundreds of channels and come up with results that can compromise networks and wreak havoc on enterprise structures. Then, too, hackers can utilize tools like proxies to run under the radar where successive efforts might otherwise get flagged by network protection software. By creating artificial diversity, the hacking community ramps up the volume of attacks without triggering common reactions by security apparatus.

“Proxies are an important part of OpenBullet,” writes a team at TrendMicro, talking about the use of proxies for multiple attempts at logins, assumedly with some sort of IP spoofing. “(Proxies) can set up the time between each connection attempt so that each attempt does not raise any alarms on the targeted website for an unusual login activity that typically would be generated by a high number of attempts in a very short period.”

All of this is sobering when it comes to protecting systems or even spotting threats as they emerge inside a network. With the ubiquity of tools, the inherent user-friendliness of these systems, and even a spate of YouTube videos promoting illicit use, the table is stacked against those who need to protect systems involving weak and exploitable logins and identifiers.

How to Protect Against Credential Stuffing

The best core protection against credential stuffing is good password hygiene. Credential stuffing is, at the bottom, a kind of brute force attack that only works based on the inherent weakness of certain gatekeeping technologies or, in a sense, human error when applied to these systems.

There are several major elements of building a better password culture. A very important one is dynamic password management. When networks and systems require users to update passwords every so often, they are reinforcing a key protection that stops credential stuffing from being effective. It’s unlikely that a user could update to something that would still be useful across a variety of platforms. Strong password enforcement can help, too, where the requirement for complex characters prevents users from creating easily hackable keys like “1111” or “password.”

Training and onboarding can also be a place where people introduce the concept of strong passwords and password hygiene. If people are aware that they shouldn't use the same password for different platforms, they are limiting the range and capability of credential stuffing with any of the above tools. In that sense, spreading the word could cut down on the efficacy of credential stuffing attacks on its own.

Multifactor authentication, of course, is a major pillar of cybersecurity that works against all kinds of improper access attacks. It's extremely unlikely that a hacker is going to have someone's personal device as they attempt some kind of credential stuffing or other identity access hack.

However, cyberattacks have been built to focus on compromising the MFA itself, which is a whole new frontier in cybersecurity and network management. Techniques like SIM swapping or tactics applied to less secure forms of SMS may help black hat parties achieve these goals. That’s a big heads-up to those who assumed MFA is a magic bullet for foiling unauthorized access to systems.

It's also important for companies (and users) to know about the dangers of "smishing," where phishing principles are applied to SMS communications, or more sophisticated or complex techniques sometimes known as "smishmash," involving SMS spoofing and other deceptions. One prime example is when hackers initiate an illegitimate password reset request to trick a device.

Finally, the password protections that a company puts in place must extend beyond the internal architecture’s borders, at least insofar as vendor systems apply. Third parties may not have the same password and identity vetting standards, leaving a weak link (or several) in the chain. Effective network protection must be applied beyond the perimeter, with attention to these kinds of third-party and external vulnerabilities.

FYEO: Better Security

Being able to anticipate what hackers are doing is a key component of a cybersecurity framework. A better understanding of the threat landscape is part of what motivates companies to put their best foot forward in terms of proactive cybersecurity.

One element of this is FYEO’s decentralized password management and other services representing best practices in network protection. Get help from a top firm offering identity, domain intelligence, and blockchain security tools — solutions for today’s threat environment. By utilizing tools like FYEO Identity, a real-time identity monitoring system, companies can be ready for whatever hackers throw their way. Look for next-generation password management and cybersecurity to circle the wagons in ways that will thoroughly harden your systems, protecting users and data.