MENU

Republic of the Philippines
National Police Commission
PHILIPPINE NATIONAL POLICE
ANTI-CYBERCRIME GROUP
Camp BGen Rafael T Crame, Quezon City
E-mail: This email address is being protected from spambots. You need JavaScript enabled to view it.

ACG-CYBER SECURITY BULLETIN NR 231: UNDERSTANDING THE RISK OF ONLINE CREDENTIAL STUFFING ATTACK

Reference Number ACG-CSB 010622231

         The following information was obtained from different cyber security sources for notification to all parties concerned pursuant to the mandate of the Philippine National Police Anti-Cybercrime Group (PNP ACG) and classified as Restricted pursuant to the PNP Regulation 200-012 on Document Security and Impact Rating as high based on PNP Information Communication Technology (ICT) Security Manual s.2010-01 p. 22 and p.129.

SUMMARY

     Credential stuffing is the automated injection of stolen username and password that pairs “credentials” into website login forms, in order to fraudulently gain access to user accounts.  It is a form of cyberattack where hackers are taking over massive databases of usernames and passwords, many of which are stolen in recent data breaches and use an automated method to “stuff” the account logins into other online services.

 

    This is a brute-force attack technique in which hackers stuff millions of user ID and password pairs at high velocity into the target website, but instead of trying to guess passwords using dictionaries of common word combinations, attackers use lists of known valid credentials obtained from data breaches. Threat actors know these credentials will lead to more successful attacks which are easier to execute and have a higher success rate due to a large number of people continue to reuse their passwords across different websites, so credentials stolen from a low-profile website have a high chance of working on services that hold more sensitive data.

 

     The attacker’s goal is to gain unauthorized access to as many user accounts as possible and then carry out other attacks or fraudulent activities. Those could involve account takeovers known as “identity theft” in which a fraudster uses the stolen or faked credentials of a legitimate user that enable attackers to drain money from bank accounts, make large purchases, or steal identities to create new, fraudulent accounts. At worst, an attacker tries to escalate user privileges to gain a foothold in an organization’s network and carry out more serious attacks.

 

    It is no secret that all the most sophisticated attackers look for and will take advantage of the easiest route to success. Since massive data breaches continue to compromise credentials and users keep reusing passwords for multiple accounts, credential stuffing attacks will continue unabated.

 

    The global pandemic has only intensified the problem. With record numbers of people working and learning from home as well as shopping online, expect to see more credential stuffing attacks on websites, delivery services, online retailers and grocers, and telemedicine providers, to name a few.

 

RECOMMENDATION

 

            The public are advised to follow these tips in order to understand the risks and prevent online credential stuffing attack:

 

  • Protect the computer and smartphonewith strong, up-to-date security software;
  • Do not connect to public WiFi networks and be cautious;
  • Use unique passwords for every account;
  • Use strong passwords;
  • Delete unused, unnecessary accounts; and
  • Use multifactor authentication (MFA) whenever available.

 

     For additional information, please refer to the following websites:

 

  • https://www.csoonline.com/article/3448558/credential-stuffing-explained-how-to-prevent-detect-and-defend-against-it.html
  • https://www.f5.com/labs/articles/education/what-is-credential-stuffing-
  • https://heimdalsecurity.com/blog/credential-stuffing/
  • https://www.wired.com/story/what-is-credential-stuffing/

 

POINT OF CONTACT

 

        Please contact PMAJ JAYBEE B BAYANI Police Community Relations Officer thru e-mail address This email address is being protected from spambots. You need JavaScript enabled to view it. or contact us on telephone number (632) 723 0401 local 7483 for any inquiries related to this CYBER SECURITY BULLETIN.