Last week, the FBI warned banks and other financial institutions USA for the growing credential-stuffing attacks targeting their networks, leading to violations security but also in significant financial losses.
"Credential-stuffing" is a term that has appeared relatively recently in its field cyber security. This is a type of attack where hackers receive collections of usernames and passwords access which have been leaked to the internet in the context of violations data to other companies and test them against accounts on other online services. These attacks are aimed at locating accounts where users have reused passwords and then gained unauthorized access to the account. Profile of the user and the connected resources.
Credential-stuffing attacks have emerged as a threat to cyberspace in recent years, since hackers Billions of usernames and password combinations have been leaked to hundreds of companies over the past five years.
Hackers began collecting leaked credentials and testing them on various online services. Initially, they aimed at online gaming and food delivery accounts, but as the tactic proved more and more successful, they also began targeting online banking services as well as cryptocurrency exchanges to steal financial assets.
According to an FBI security adviser obtained by ZDNet, credential-stuffing attacks have increased in recent years and have now become a major problem for banks and other financial institutions. Indicatively, the FBI has received since 2017 many reports of such attacks, focusing on US financial institutions, with over 50.000 accounts have been totally violated all this time. Victims of the attacks include banks, financial service providers, insurance companies and investment firms.
In addition, the FBI reports that many of these attacks target application programming interfaces (APIs), as these systems are less likely to require multi-factor authentication (MFA) and less closely monitored by user-facing logins. systems. Credential-stuffing attacks target not only user profiles but also employee accounts, with hackers also targeting high-profile accounts. Some of these attacks have not been successful, while others have succeeded, leading banks and organizations to multimillion-dollar losses over the past year.
The FBI also reported some significant recent incidents of credential-stuffing attacks. Indicatively, the following are highlighted:
- June - November 2019: A small hacking team targeted a financial services institution and three of its customers, breaking more than 4.000 online banking accounts. The hackers then used bill payment services to make "fraudulent" payments - about $ 40.000 in total - to themselves, which they later approved in foreign bank accounts.
- June 2019 - January 2020: A New York-based investment firm and an international money transfer platform have come under attack for their mobile APIs. Although no entity reported fraud, one of the attacks resulted in a widespread system outage that prevented the collection of nearly $ 2 million in revenue.
- July 2020: A medium-sized US financial institution reported that its Internet banking platform noticed many attempts to connect with various pairs credentials, which are estimated to be indicative of the use of bots. Also, between January and August 2020, unknown malicious agents used aggregation software to link hacker-controlled accounts to client accounts owned by the same institution. This resulted in more than $ 3,5 million in "fraudulent" checks and ACH transfers. However, the report does not show whether the increased links and "fraudulent" transactions are the work of the same malicious agents.
Security investigators have located more than 1.500 addresses e-mail and 6.000 passwords exposed to more than 80 data breaches. Some of the credentials belonged to the company's leadership, system administrators and other employees with privileged access.
Therefore, the FBI advises financial institutions to take protections meters to deal with the growing threat of credential-stuffing attacks. Its recommendations include key detection strategies and mitigation tips that can be applied universally to all sectors and not just organizations operating in the financial sector.