Credential Stuffing to Stuff the Ballot Box



credential stuffing votingAdvanced nation-state actors and petty criminals are both leveraging credential-stuffing attacks to hack into victims’ accounts, according to Byron Acohido, writing for Avast. Rather than trying to guess passwords by plugging in random combinations or common words, hackers can leverage the billions of leaked credentials available on the Internet to achieve a much greater chance of success.

“Credential stuffing is a type of advanced brute force hacking. It involves the use of software automation to insert stolen usernames and passwords into web page forms, at scale, until the attacker gains access to a targeted account,” Acohido explains.

Acohido notes that Microsoft recently disclosed that Strontium (also known as Fancy Bear), a threat actor attributed to Russia’s GRU, is targeting hundreds of individuals and entities associated with the upcoming US election. Fancy Bear is the same group that hacked John Podesta’s email account in 2016 via a phishing lure, and it now seems to be using credential-stuffing to overcome new defenses.

“As a public service, Microsoft has been tracking how Strontium has relentlessly carried on and is seeking to gain a similar foothold inside of Joe Biden’s campaign,” Acohido writes. “As you might expect, the Biden campaign progressed to using much more robust spear-phishing defenses. In response, the Strontium crew has pivoted to using leading-edge credential harvesting and credential stuffing tools, disguised several ways. Microsoft’s analysts, for instance, documented how the Strontium crew has been routing automated attacks through more than 1,000 constantly rotating IP addresses, the better to help avoid detection....Over the past 12 months, Strontium has targeted more than 200 organizations affiliated with the upcoming election, including political consultants from the major parties in both the U.S. and Europe.”

Acohido concludes that organizations and individuals both need to take steps to address this threat.

“Credential stuffing campaigns will only continue to torch trust in the core systems we need to be able to rely on in order to help us get past this global pandemic as well as to democratically elect a president,” Acohido writes. “There are plenty of free and low-cost security tools that can and should be brought to bear by state and local agencies dispensing Covid-19 aid and carrying out elections. And individual citizens have a responsibility to act as well. We can give up some convenience in favor of more proactively controlling our online privacy and reducing our digital footprints.”

There are steps users can take to make credential stuffing less effective. New-school security awareness training can teach your employees how to protect their accounts against these attacks by using strong, unique passwords and multi-factor authentication.

Avast has the story.


Are your user’s passwords…P@ssw0rd?

Employees are the weakest link in network security, using weak passwords and falling for phishing and social engineering attacks. KnowBe4’s complimentary Weak Password Test (WPT) checks your Active Directory for several different types of weak password related threats.

wpt02Here's how it works:

  • Reports on the accounts that are affected
  • Tests against 10 types of weak password related threats
  • Does not show/report on the actual passwords of accounts
  • Just download the install and run it
  • Results in a few minutes!

Check Your Passwords

PS: Don't like to click on redirected buttons? Cut & Paste this link in your browser:

https://www.knowbe4.com/weak-password-test



Subscribe to Our Blog


Comprehensive Anti-Phishing Guide




Get the latest about social engineering

Subscribe to CyberheistNews