When I am speaking, or conducting seminars on internal controls I always stress the importance of having complex passwords and updating them on a regular basis. The fact that many individuals use the same user ID and password for multiple sites is well known to criminals.
Credential stuffing is one of the ways criminals gain access to various systems. When the criminals obtain user IDs and passwords through data breaches, phishing or other means the criminal uses software to test the acquired user IDs and passwords on various websites and computer systems. The criminal will attempt to access financial, social media, email and other sites using the stolen information. Company and government websites are vulnerable because employees are not diligent in changing and protecting their passwords and often use the same password on multiple systems.
One common software for conducting credential stuffing is known as Sentry MBA. Less than 1% of these attempts are successful but the successful attempts are very profitable for the criminals as they gain access to the victim’s information and accounts. Remember that credential hacking is done at computer speeds so a criminal can test the credentials millions of times an hour. If a criminal is able to obtain 1 million credentials by purchasing them in bulk on the darknet they would be able to access approximately 10,000 accounts. Also since a user ID and password is only attempted once per website, the user ID is not locked when it does not work so the victim is unaware their information has been tested. The criminals also use botnets (Hijacked computers) so that the requests all come from different IP addresses to prevent the tested website from recognizing the access attempt is coming from a single source.
Organizations need to monitor login failure rates as a detective control to determine if they are targets of a credential stuffing attack. Adding two-factor authentication to a website is a good preventive control to limit credential hacking. Another good internal control is requiring complex passwords that contain an upper case letter, a lower case letter, a number and a symbol and requiring users to update passwords every 90 days and prohibiting the reuse of passwords.
One way to determine if your organization is being attacked by a criminal using Sentry MBA is to Google “sentry mba your company name”. You can also search your web logs for some of the common user agent strings associated with Sentry MBA:
- Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; .NET CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)
- Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)
- Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:18.104.22.168) Gecko/2009060215 Firefox/3.0.11
- Mozilla/5.0 (Windows; U; Windows NT 5.1; en) AppleWebKit/522.11.3 (KHTML, like Gecko) Version/3.0 Safari/522.11.3
- Opera/9.80 (Windows NT 6.0; U; en) Presto/2.2.0 Version/10.00