Credential stuffing, in the past, was used for targeting online services such as online gaming, video streaming, or food delivery businesses. However, with an ever-increasing success rate of this tactic, several professional hackers have started adopting this method. Recently, the FBI issued a security advisory about the increasing use of credential stuffing attacks against financial institutions.
The ongoing trend
Hacking groups have now started using credential stuffing to target financial service providers, such as banks, insurance companies, investment firms, cryptocurrency exchanges, and online banking services to steal financial assets.
- The attackers try to identify multi-accounts across different financial services, where users may have reused the same passwords. In case the same password is reused by a user, attackers can gain access to their other accounts and attached resources.
- Several attacks targeted the APIs used by financial services as such systems often fail to implement the multi-factor authentication.
- Over the past few years, these successful attacks have led to multi-million dollar losses at some organizations.
Increasing prevalence of credential stuffing
Lately, credential stuffing attacks have accounted for the greatest volume of cyberattacks.
- According to an FBI report, in July, a mid-sized U.S. financial organization became the target of a continuous stream of credential stuffing attacks, possibly carried out with help of automated bots.
- Between January and August, hackers used aggregation software to link actor-controlled accounts to legitimate customer accounts belonging to the same financial institution for fraudulent fund transfer activities, resulting in losses of more than $3.5 million.
- In April, multiple account details related to Chase, Citibank, and other financial institutions were gathered through credential stuffing attacks on relevant Zoom accounts.
The FBI alert warns all the financial organizations to take immediate steps for safety against credential stuffing attacks. However, looking at the way attackers are trying new tactics across different sectors, it can be said that not only the organizations active in the financial vertical but all industry verticals should take protective measures about the ever-growing threat of credential stuffing.