Credential stuffing is a stepping stone to more substantial cyberattacks with lagging repercussions that impact supply chain or inventory. As cybercriminals' financial motives grow, so does the scale of their attacks.
"If a bunch of bots want to log into a bunch of accounts and do nothing else, that's not really a business problem," said Zane Lackey, co-founder and CISO at Signal Sciences and former director of Security Engineering at Etsy, while speaking at the virtual Forrester Security and Risk Global 2020 conference last week. Security professionals can take credential stuffing for granted; if the business doesn't act on the initial issue, greater calamity is inevitable.
"That's the purpose of the bot" — to scale an attack to an infinite amount, said Russell Handorf, principal threat intelligence hacker at White Op and former computer scientist with the FBI, while speaking on the panel.
Handorf showed attendees an automated credential stuffing attack where attackers pooled two types of information — one from public resources and the other from public credential leaks — to better their chances of intrusion. Because breaches happen every day, hackers have a constant pool of exposed data to use. From there, hackers leverage the exposed credentials and throw them at websites, testing the probability of success.
Financially-motivated hackers and bot attacks are typically understood, but "it's really different to actually see that firsthand," said Lackey.
During a cyberattack launched against Etsy, Lackey had a front-row seat to how a credential stuffing attack plays out. In one case, hackers were attempting to carry out an account takeover attack, which looked like the appetizer to a larger attack, because after logging in they made no further actions, said Lackey.
While Lackey's security organization knew the hackers planned to sit idly in Etsy's systems, "we got to see this really interesting thing where the attacker had misconfigured their attack tool chain." The hacker's mistake meant Etsy could see "all of the output from not only the attack tools that they were running against us but for running against everyone."
After the incident, Lackey learned he could follow where the hacker was successful on a site or service, and "that's where they went and doubled down," said Lackey. The hackers never really pursued targets with "mixed results" in terms of success, they stuck to the ones with guaranteed returns.
Advertisers be warned
In attacks where hackers generate user accounts targeting a company's online and physical inventory for legitimate customers, "it hurts them physically at the end of the day, because they're not able to sell and move product," said Handorf.
Hackers can use "the platform [they're] working against to move money out of some other platform," said Lackey. For example, hackers often abuse two-sided marketplaces for money laundering. With stolen payment information and an automated bot army, cybercriminals can attempt to buy fraudulent goods, and test the legitimacy of the payment information.
The marketing industry is particularly susceptible to bots. If sudden spikes in sales or campaign traffic appear at the onset of its launch, the activity likely doesn't pass "the sniff test," said Joanna O'Connell, VP and principal analyst at Forrester, while speaking on the panel.
"Did I find the magical unicorn solution to advertising? Or is something problematic going on?" asked O'Connell. Bot disruption in advertising is equivalent to lost money. Security, a business practice often left outside of general business strategy, has to fight to find its way into the conversation.
"If we're all being honest, and for any practitioners on the line here, the reality is the first time this happens, it always gets bundled up in the business after the fact," said Lackey.
In the case of bots interfering with marketing campaigns, the first time security is usually included in a conversation is after a successful attack, said Lackey. That's the first time the security organization connects with "parts of the business that didn't realize they could really get attacked like this."
The security organization can teach different business units to detect early indications of malicious activity. The "see something, say something" protocol of security is something that global organizations need to mandate throughout their offices, said Lackey. "The fire alarm is there for a reason. If there really is something on fire, and you pull it, you're not going to get yelled at."
Bots attacking advertisers and marketing agencies is forcing the industry to be more technologically inclined. Brands are saying, "I want to go out and decide on my technology stack myself, I want to own the contract, I want to build in auditing rights, I want to have full transparency into fees," said O'Connell. All of these processes require brand safety and security.