Monday, January 18, 18:25
Home security The FBI reveals that banks were credential-stuffing attacked!

The FBI reveals that banks were credential-stuffing attacked!

Last week, the FBI warned banks and other financial institutions USA for the growing credential-stuffing attacks targeting their networks, leading to violations security but also in significant financial losses.

"Credential-stuffing" is a term that has appeared relatively recently in its field cyber security. This is a type of attack where hackers receive collections of usernames and passwords access which have been leaked to the internet in the context of violations data to other companies and test them against accounts on other online services. These attacks are aimed at locating accounts where users have reused passwords and then gained unauthorized access to the account. Profile of the user and the connected resources.

credential-stuffing attacks vs banks

Credential-stuffing attacks have emerged as a threat to cyberspace in recent years, since hackers Billions of usernames and password combinations have been leaked to hundreds of companies over the past five years.

Hackers began collecting leaked credentials and testing them on various online services. Initially, they aimed at online gaming and food delivery accounts, but as the tactic proved more and more successful, they also began targeting online banking services as well as cryptocurrency exchanges to steal financial assets.

credential-stuffing shape attacks

According to an FBI security adviser obtained by ZDNet, credential-stuffing attacks have increased in recent years and have now become a major problem for banks and other financial institutions. Indicatively, the FBI has received since 2017 many reports of such attacks, focusing on US financial institutions, with over 50.000 accounts have been totally violated all this time. Victims of the attacks include banks, financial service providers, insurance companies and investment firms.

In addition, the FBI reports that many of these attacks target application programming interfaces (APIs), as these systems are less likely to require multi-factor authentication (MFA) and less closely monitored by user-facing logins. systems. Credential-stuffing attacks target not only user profiles but also employee accounts, with hackers also targeting high-profile accounts. Some of these attacks have not been successful, while others have succeeded, leading banks and organizations to multimillion-dollar losses over the past year.

The FBI also reported some significant recent incidents of credential-stuffing attacks. Indicatively, the following are highlighted:

  • June - November 2019: A small hacking team targeted a financial services institution and three of its customers, breaking more than 4.000 online banking accounts. The hackers then used bill payment services to make "fraudulent" payments - about $ 40.000 in total - to themselves, which they later approved in foreign bank accounts.
  • June 2019 - January 2020: A New York-based investment firm and an international money transfer platform have come under attack for their mobile APIs. Although no entity reported fraud, one of the attacks resulted in a widespread system outage that prevented the collection of nearly $ 2 million in revenue.
  • July 2020: A medium-sized US financial institution reported that its Internet banking platform noticed many attempts to connect with various pairs credentials, which are estimated to be indicative of the use of bots. Also, between January and August 2020, unknown malicious agents used aggregation software to link hacker-controlled accounts to client accounts owned by the same institution. This resulted in more than $ 3,5 million in "fraudulent" checks and ACH transfers. However, the report does not show whether the increased links and "fraudulent" transactions are the work of the same malicious agents.
credential-stuffing attacks FBI

Security investigators have located more than 1.500 addresses e-mail and 6.000 passwords exposed to more than 80 data breaches. Some of the credentials belonged to the company's leadership, system administrators and other employees with privileged access.

Therefore, the FBI advises financial institutions to take protections meters to deal with the growing threat of credential-stuffing attacks. Its recommendations include key detection strategies and mitigation tips that can be applied universally to all sectors and not just organizations operating in the financial sector.


Please enter your comment!
Please enter your name here

Every accomplishment starts with the decision to try.


Android: How to make Signal the default messaging app

Signal is a popular encrypted messaging application that focuses on privacy. It is an alternative to ...

Google Cloud: We use some SolarWinds, but we were not affected by the hack

Google Cloud CISO Phil Venables has revealed that the cloud uses software from the vendor, SolarWinds, but states that the use ...

Scotland Environment Service: ransomware continues to affect us

The Scottish Environmental Protection Agency (SEPA) has confirmed that it was hit by a ransomware attack last month and continues to face ...

Backdoors and vulnerabilities were discovered in FiberHome routers

Backdoors and other vulnerabilities have been discovered in the firmware of a popular FiberHome FTTH ONT router. FTTH ONT stands for Fiber-to-the-Home Optical Network ...

GitHub apologizes to an employee who fired! What happened;

GitHub has admitted that it was wrong to fire a Jewish official who made "anti-Nazi" comments about the Capitol riots.

By 2030 AI will replace the people of cybersecurity

Security company Trend Micro recently conducted a new survey that reveals that more than two-fifths (41%) of IT leaders believe ...

Chinese Winnti APT targets organizations in Russia and other countries!

Security researchers at Positive Technologies have uncovered a series of attacks carried out by a Chinese APT hacking team targeting organizations in Russia ...

Silicon Valley is investing a huge amount of money in India

From March to November, even when COVID-19 destroyed economies around the world, the richest man in India ...

Microsoft, Salesforce, Oracle are designing a digital vaccination passport

A Covid digital vaccination passport is being developed jointly by a team of health and technology companies, as well as governments, airlines and ...

Google removes Chrome Sync from third-party browsers

Google says it will block the use of private Google APIs by third-party Chromium web browsers after discovering that ...