Credential Stuffing

When I am speaking, or conducting seminars on internal controls I always stress the importance of having complex passwords and updating them on a regular basis. The fact that many individuals use the same user ID and password for multiple sites is well known to criminals.

Credential stuffing is one of the ways criminals gain access to various systems. When the criminals obtain user IDs and passwords through data breaches, phishing or other means the criminal uses software to test the acquired user IDs and passwords on various websites and computer systems. The criminal will attempt to access financial, social media, email and other sites using the stolen information. Company and government websites are vulnerable because employees are not diligent in changing and protecting their passwords and often use the same password on multiple systems.

One common software for conducting credential stuffing is known as Sentry MBA. Less than 1% of these attempts are successful but the successful attempts are very profitable for the criminals as they gain access to the victim’s information and accounts. Remember that credential hacking is done at computer speeds so a criminal can test the credentials millions of times an hour. If a criminal is able to obtain 1 million credentials by purchasing them in bulk on the darknet they would be able to access approximately 10,000 accounts. Also since a user ID and password is only attempted once per website, the user ID is not locked when it does not work so the victim is unaware their information has been tested. The criminals also use botnets (Hijacked computers) so that the requests all come from different IP addresses to prevent the tested website from recognizing the access attempt is coming from a single source.

Organizations need to monitor login failure rates as a detective control to determine if they are targets of a credential stuffing attack. Adding two-factor authentication to a website is a good preventive control to limit credential hacking. Another good internal control is requiring complex passwords that contain an upper case letter, a lower case letter, a number and a symbol and requiring users to update passwords every 90 days and prohibiting the reuse of passwords.

One way to determine if your organization is being attacked by a criminal using Sentry MBA is to Google “sentry mba your company name”. You can also search your web logs for some of the common user agent strings associated with Sentry MBA:

  1. Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; .NET CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)
  2. Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)
  3. Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.0.11) Gecko/2009060215 Firefox/3.0.11
  4. Mozilla/5.0 (Windows; U; Windows NT 5.1; en) AppleWebKit/522.11.3 (KHTML, like Gecko) Version/3.0 Safari/522.11.3
  5. Opera/9.80 (Windows NT 6.0; U; en) Presto/2.2.0 Version/10.00

About Dr.Bob

Dr. Minniti is the President and Owner of Minniti CPA, LLC. Dr. Minniti is a Certified Public Accountant, Certified Forensic Accountant, Certified Fraud Examiner, Certified Valuation Analyst, Certified in Financial Forensics, Master Analyst in Financial Forensics, Chartered Global Management Accountant, and is a licensed private investigator in the state of Arizona. Dr. Minniti received his doctoral degree in business administration from Walden University, received his MBA degree and Graduate Certificate in Accounting from DeVry University’s Keller Graduate School of Management, and received his Bachelor of Science in Business Administration degree from the University of Phoenix. Dr. Minniti teaches graduate and undergraduate courses in accounting, fraud examination, fraud criminology, ethics, forensic accounting, external audit, and internal audit, at DeVry University, Grand Canyon University, Northwestern University, and the University of Phoenix. He designed graduate and undergraduate courses for Grand Canyon University, Northwestern University, and Anthem College. He is a writer and public speaker. He has experience in forensic accounting, fraud examinations, financial audits, internal audits, compliance audits, real estate valuations, business valuations, internal control development, business continuation planning, risk management, financial forecasting, and Sarbanes-Oxley compliance work. Dr. Minniti is an instructor teaching continuing professional education classes for the American Institute of Certified Public Accountants, Compliance Online, CPE Link. AccountingEd, Global Compliance Panel, Clear Law Institute and various state CPA Societies.

Leave a Reply

Your email address will not be published. Required fields are marked *