Cybercriminals are increasingly turning to credential stuffing tools to automate attempts at account takeover. This is a type of brute force attack whereby large sets of credentials are automatically inserted into login pages until a match with an existing account is found. Based on configurations, the most common targets for these attacks are the gaming, technology, broadcasting and retail sectors.
These startling findings have been revealed by Digital Shadows, the industry leader in digital risk management, in its latest research report. The research focused up on some of the main techniques that cybercriminals are using to target organizations using stolen credentials which have been reused across a variety of sites and online forums.
The report “Protect Your Customer and Employee Accounts: 7 Ways To Mitigate The Growing Risks Of Account Takeovers” also outlines what measures organizations can implement to protect against such attacks.
Need to check existing loopholes
Last year Digital Shadows found that 97 percent of businesses in the ‘Forbes 1000’ had their valuable credentials exposed, usually by employees using the same details across multiple sites and platforms. Now criminals are recognizing that employees often have poor username and password discipline to use these in mass automated credential stuffing attacks aiming to gain access to corporate networks.
“Many organizations are suffering breach fatigue due to the huge numbers of credentials exposed via not only high profile incidents like those suffered by Myspace, LinkedIn and Dropbox, but also from tens of thousands of smaller breaches,” said Rick Holland, VP Strategy at Digital Shadows.
“But it is critical that businesses arm themselves with the necessary intelligence and insight to manage their digital risk and prevent this problem credential exposure from escalating into an even more severe problem,” added Holland.
Avoiding account takeovers
The report also suggests that while multi-factor authentication (MFA) can help to protect organizations and their customers from account takeovers, it cannot be seen as a silver bullet to solve the problem of account take overs.
“Enterprises – and the companies that work for and with them – need to be better prepared for this sort of brute force attack,” added Holland.
Besides, it is also important to monitor the mentions of your company and brand names across cracking forums. This can help to inform the security solutions you invest in.