Unlike the attack of Malware, stealing login credentials to get unauthorized access is likely to go unnoticed… Doing so is literally navigating under the radar. Today, you’ll know more about the sneaky password dumping and stuffing threat.
If every account they access can be a gold mine, it’s no wonder that the Verizon Data Breach Investigation Report pointed out that stolen credentials were the 2nd most common method to produce a breach.
Hackers can steal your credentials at any time they want it to with popular methods (Phishing and Keylogging), and others that aren’t well-known.
Password dumping is part of the lesser-known.
Password Dumping – Everything You Need to Know
What you probably didn’t know, is that your Operating System doesn’t want to annoy you by asking the same passwords again and again.
So, when you notice you already have access to your computer or any of its programs without repeating the password, it’s because it was stored inside of it for later use.
And luckily (for hackers) they store in more than one place, that if accessed, a harmful list of usernames and passwords credentials can be stolen easily.
- Security Accounts Manager (SAM) – This database has been filing credentials since the Windows XP times, both to local and remote users.
- WDigest – This service still exists in the latest version of Windows, although is kept disabled by default. It keeps user’s passwords saved a plain-text copy in memory.
- Kerberos – Although this ticketing-system protocol is believed to be secure enough, credentials stored inside can still be stolen by attacking the tickets themselves.
- DCSync – Hackers use API calls to mimic the behavior of domain controllers, getting them to send credential hashes – valuable enough to use in further attacks.
Of course, there’s little to none use to manual processes, especially on big-size stealing operations. Everything is as automated as it can get, mostly leveraged by the use of PWDumpX, Mimikatz, and similar tools.
The second mentioned (Mimikatz) has very useful on the good boy’s hands (for penetration testing) and very popular are for the bad guys, as well.
Saying that an attacker has already located, copied, and “dumped” the credentials… How does he/she make use of them?
The Zoom credentials breach is a great example to give you the answer.
As soon as the whole COVID-19 event started, and remote work became the norm, everyone started to use Video call & Conference apps (Zoom is among the most popular)
The headlines yelled: “500,000 Zoom Accounts were hacked and sold on the Dark Web.”
Victims got immediately exposed to massive to one threat in particular: Password Stuffing.
Password Stuffing – Everything You Need to Know
Instead of trying to guess passwords using common word combinations, Hackers will run an automated scan through a list of stolen credentials with the help of scripts or apps.
These lists (combo lists) can be found leaked on black hat forums or the dark web.
Meaning, anyone with a few dollars, tools, and basic knowledge/skills can do this operation.
Statistically speaking, even when the success rates are low, they’re still worth it, because successful attempts may include valuable data as credit card numbers.
For a low rate, we talk about 0.1%. (1 in 1,000). And in that one time, 55% of times the victim has used the same credentials to almost every account they have created online.
Here’s how the process of a large-scale stuffing attack would look like on the hacker’s side:
- An automated bot is prepared to log into multiple user accounts. All while faking random IP addresses.
- They check on websites to confirm stolen credentials work.
- The attacker monitors successful logins and obtains valuable information from the compromised accounts.
- Information is saved for later use. They rarely stuff and steal on the same day.
As you can notice, all of it makes it hard for you and your company to differentiate login attempts between attackers and real users. This is especially hard high-traffic websites.
So, are there any signs you can use to early mitigate password stuffing attacks?
How to Detect Password Stuffing
The first and biggest red flag you can get is an increased logging-failure, over a short span of time.
You and your IT team can detect it yourselves, but mostly by using firewalls (web application) and other advanced tools and techniques.
The largest companies monitor data bumps proactively to see any correlation between the containing data and theirs. Even when this requires a good investment, it’s just not enough.
Being honest, the best you can do is to accept that it might happen to you at any moment, and be ready to take measures to prevent both Password Dumping and Password Stuffing.
How to Protect Yourself from Password Dumping and Stuffing
Each and every you apply of the following list, is a point for you, and one less for the hacker.
So take as much as possible into account, and both you and your company will be well-protected:
- Don’t storage passwords on Computer – You read how easy it’s for hackers to pick up your login credentials from files on your computer. If they get access to any of your unencrypted text archives, they also get access to your usernames and passwords.
- Use Password Managers – I know, you save these passwords because otherwise, you would forget about them – and that notebook with credentials in the back isn’t safe neither. So what you can do instead, is to save your passwords on online managers (such as LastPass or 1Password) or an offline password manager like KeePass. That way, you only keep safe the Master Password to access all others. Online passwords managers upload everything into the cloud, so it’s possible to access different devices. Offline, instead, stays in the device you install on.
- Microsoft Defender – Every Windows and Mac users have access to the great Microsoft Defender protection/antivirus solution. It will protect the Isaas.exe file, which is a common target in the case of password dumping.
- Two-Factor Authentication (2FA) – This is basically a second door where you enter extra information, once you pass by the first gate (Username and password). It tends to be through a code you request and receive from an email, SMS, or app. Almost anyone enables it due to the time it takes. But I recommend you to at least do it for some essential websites or services (email, baking, and payment service accounts).
- CAPTCHA – You have seen it: You have to click on “I’m not a Robot” or on a set of pictures that correlates to an item (car, light post, or tree). While these are easily bypassable, more advanced CAPTCHA entries can be used with other methods.
- IP Blacklisting – One of the most effective ways to block attackers directly is by putting a sandbox on the limited IPs they tend to use. You can also reduce false positives by monitoring and comparing the most recent with those suspicious.
- Password Hashing – When I mentioned “password hash” above, I was talking about changing every digit of it to hide it. Because cleartext is the like of writing them down in a piece of paper (but digital) digital paper.
The dictionary defines hashing as “chopping something into small pieces” to make it look like a “confused mess”. That’s exactly what hashing represents in cybersecurity.
Visit Auth0’s blog to learn more about “Password Hashing”
Are You Safe Now?
… Do you feel that way?
You probably don’t, right now. But I’ll give you some time to take action and apply all 8 protection methods, or at least most of them.
If that doesn’t work – or if you just don’t have time to do so – then I assure you we’ll take care of it in a matter of hours.