Dark web marketplaces are awash with account logins for popular online services. Supply for this market is being driven in part by ‘credential stuffing’ attacks, in which criminals use bots to try out common and reused passwords. This threat is fuelled in part by poor cybersecurity hygiene among customers, but ultimately businesses must make sure their accounts are secure.
The dark web market for customer log-ins
The dark web is teeming with stolen log-ins. Research by security vendor F5 found billions of credentials on sale in marketplaces such as Raid Forums, Hacktown and XSS.
The market price of these logins varies based on value to cybercriminals. Log-ins for an account with online clothes retailer ASOS sell for as little as $7.50, according to research by Privacy Affairs and Top10VPN, while credentials for cryptocurrency exchange Kraken can fetch up to $810. “Criminals follow the money,” explains Rick Holland, CISO and vice president for strategy at Digital Shadows.
Like any e-commerce site, dark web marketplaces incorporate user ratings and reviews, but there is still little to confirm the sellers’ claims that their wares are ‘fresh’. But with businesses typically taking 327 days to detect a data breach, there is usually plenty of time to exploit these stolen log-ins.
The credentials being sold on the dark web have often been sourced en masse through data breaches, or piece by piece from phishing attacks. But their supply is also being driven by automated attacks known as ‘credential stuffing’.
What is a credential stuffing attack?
In a credential stuffing attack, a criminal will employ a bot to reuse credentials leaked from one site on many others – or simply try commonly used passwords. If these attempts are successful, attacks might exploit the breached account themselves or pump them into a dark web marketplace.
The scale of the threat is staggering. According to Akamai’s bot monitoring service, hundreds of millions of automated log-in attempts take place every day. The figure topped 1 billion attempts a day on multiple occasions in the first half of 2021.
While the success rate of credential stuffing attacks is typically between one to three percent, the sheer volume of attempts means successful breaches can number in the tens of thousands. This threat can cost individual organisations up to $6m in loss of customers, performance degradation, and cybersecurity overheads, the Ponemon Institute.
The threat is driven in part by poor cybersecurity hygiene. Almost a million UK residents used ‘123456’ or ‘password’ as their security credentials in 2021, according to research by NordPass, while 65% of internet users admit to reusing passwords across multiple services, according to a 2019 survey by Google. While best practice for individuals is to use a password manager, this requires a degree of technology know-how, says Holland. “A unique password is probably the main thing you could do to protect yourself,” he says.
Ultimately, though, responsibility lies with the companies with whom these credentials have been entrusted, Holland argues. “We’re having to rely on the security controls, detection and response of any of these companies that have our accounts and loyalty.”
Cracking down on credential stuffing attacks
Currently, however, businesses don’t appear to be on top of the issue. Earlier this month, the New York Attorney General Letitia James announced the findings of a months-long investigation into credentials stuffing that uncovered 1.1 million login details of customers of 17 “well-known” companies, ranging from e-commerce platforms to food delivery services, for sale on the dark web. The majority of the companies targeted were unaware that their customers' account details had even been compromised.
“Companies need to proactively look for stolen credentials of their customers because intrusion is inevitable,” Holland says. “Quickly detecting, responding and minimising the risk to customers is something they should all be doing. [I]t should almost be a fiduciary responsibility for these service providers.”
Businesses are getting better at this, he adds, and criminal investigations such as that in New York will help to put this on the agenda. But, Holland concludes, the threat from credential stuffing attacks will "get worse before it gets better".