TMCnet Feature
April 29, 2020

Credential Stuffing Attacks Target Financial Industry APIs

Credential stuffing attacks are designed to capitalize on the fact that people commonly use weak passwords and often use the same one across multiple different accounts. As data breaches occur on a regular basis, cybercriminals are provided with a massive amount of data regarding the passwords used most by people in general and a certain person in particular.

A credential stuffing attack uses a bot to try common passwords on a user’s account on another service. Use of a shared or weak password on this account could allow an attacker to transform a breached credential for an account on a valueless website into access to a user’s bank account.

Financial institutions are often targeted by credential stuffing attacks, but the profile of these attacks is shifting. Cybercriminals are increasingly targeting financial application programming interfaces (APIs), making it necessary to ensure that an organization’s Web Application Firewall (WAF) solution covers its entire web presence, including the APIs, and has the ability to differentiate between benign and malicious bots.

The Growth of Bot-Driven Cyber Attacks

A bot is a computer program that is designed to automate actions that would normally be performed by a human. Typically, this involves interacting with a website to collect information or take advantage of its functionality for some purpose. Bots can be used for a number of different benign purposes. For example, the web spiders used by Google and other search engines to index the Internet, in order to make it searchable using web browsers, are an example of a benign bot.

However, the use of bots for malicious purposes is growing rapidly. An estimated 20% of all Internet traffic is associated with malicious bots. These bots perform a variety of functions for a cybercriminal. Some bots are designed to seek out vulnerabilities in a target website, discovering where an attacker should focus their efforts to gain access. Others are used in credential stuffing attacks, where user credentials leaked during data breaches are tested against other sites to determine if they can be used there as well.

API Security is Not Web App Security

An organization’s APIs are designed to allow programmatic access to the data or services that the organization offers to customers. While this information may be available through the website, an API makes it possible for customers to automate repetitive operations or perform bulk queries with minimal overhead.

Exposing an API can be extremely valuable to an organization and its customers alike. Enabling direct programmatic access frees customers from automating interactions with the organization’s web front-end, which makes script development easier and reduces load on the company web server.

However, this same easy accessibility is a boon to cybercriminals and malicious bots as well. Since these APIs are designed to allow programmatic access and bulk data transfers, it is easier for cybercriminals to use them in their attacks than if they attempted to perform the same operations through the web front-end. Additionally, APIs are often well-documented by their creator, enabling an attacker to more easily identify design flaws or potentially exploitable vulnerabilities.

All of these factors contribute to the fact that APIs require a much different approach to security than an organization’s web applications and pages designed for human interaction. With an API, it is expected that legitimate users will automate queries to it and will use these queries to perform high-volume data transfers or to request computationally-expensive operations. Since these are some of the warning signs used to detect attacks against web applications, identifying the use of malicious bots on APIs is more difficult and requires more sophisticated detection mechanisms.

Credential Stuffing and the Financial Industry

The financial industry is one of the biggest targets of cyberattacks due to the value of the data that they process on a daily basis. They are also a common target of credential stuffing attacks in particular since correctly identifying a user’s credentials at a financial institution’s online portal would enable a cybercriminal to steal the money in their account.

Credential stuffing attacks are always automated, since they take a “guess and check” approach to identifying user credentials. However, they can be targeted at different points in an organization’s web presence. Any web page or application that requires a user to authenticate before using it can be targeted in these attacks.

Recently, cybercriminals have been focusing their efforts on financial institutions’ APIs. In fact, up to three-quarters of credential stuffing attacks against these organizations between May and December 2019 targeted the organizations' APIs. This shift in tactics from targeting web pages and web applications to web APIs may have caught targeted organizations by surprise. In general, web APIs are often overlooked during security planning, which is dangerous since they can be such a valuable resource to an attacker.

Protecting Financial APIs

Credential stuffing attacks have a number of negative impacts upon their targets. For the users whose credentials are guessed, a cybercriminal gains access to their account. The organization that is targeted by the attack has resources wasted by the attack as bots force the authentication operation to run continuously.

With credential stuffing attacks targeting APIs, instead of web applications, the velocity of attacks can increase since these APIs are often optimized for programmatic access. If an organization has not deployed defenses to help identify and block malicious bot-driven traffic, then it and its users could be the victim of sustained credential stuffing attacks.

» More TMCnet Feature Articles


» More TMCnet Feature Articles