Mouser Left Banner
Mouser Left Banner
Mouser Left Banner
Mouser Right Banner
Mouser Right Banner
Mouser Right Banner

    Cracking the Hack…is it possible?

    Let’s play a game. Below are clues describing a specific type of cyberattack; can you guess what it is?

    • This cyberattack is an automated bot-based attack
    • It uses automation tools such as cURL and PhantomJS
    • It leverages breached usernames and passwords
    • Its primary goal is to hijack accounts to access sensitive data, but denial of service is another consequence
    • The financial services industry has been the primary target

    Struggling? We understand, it’s tricky! Here are two more clues:

    • Hackers will often route login requests through proxy servers to avoid blacklisting their IP addresses
    • It is a subset of Brute Force attacks, but different from credential cracking

    And the Answer Is….

    Credential stuffing! If you didn’t guess correctly, don’t worry. You certainly aren’t alone. At this year’s RSA Conference, Radware invited attendees to participate in a #HackerChallenge. Participants were given clues and asked to diagnose threats. While most were able to surmise two other cyber threats, credential stuffing stumped the majority.

    Understandably so. For one, events are happening at a breakneck pace. In the last few months alone, there have been several high-profile attacks leveraging different password attacks, from credential stuffing to credential spraying. It’s entirely possible that people are conflating the terms and thus the attack vectors. Likewise, they may also confuse credential stuffing with credential cracking.

    Stuffing vs. Cracking vs. Spraying

    As we’ve previously written, credential stuffing is a subset of brute force attacks but is different from credential cracking. Credential stuffing campaigns do not involve the process of brute forcing password combinations. Rather, they leverage leaked username and passwords in an automated fashion against numerous websites to take over users’ accounts due to credential reuse.

    Conversely, credential cracking attacks are an automated web attack wherein criminals attempt to crack users’ passwords or PIN numbers by processing through all possible combines of characters in sequence. These attacks are only possible when applications do not have a lockout policy for failed login attempts. Software for this attack will attempt to crack the user’s password by mutating or brute forcing values until the attacker is successfully authenticated.

    As for credential (or password) spraying, this technique involves using a limited set of company-specific passwords in attempted logins for known usernames. When conducting these types of attacks, advanced cybercriminals will typically scan your infrastructure for external facing apps and network services such as webmail, SSO and VPN gateways. Usually, these interfaces have strict timeout features. Actors will use password spraying vs. brute force attacks to avoid being timed out and possibly alerting admins.

    So What Can You Do?

    A dedicated bot management solution that is tightly integrated into your Web Application Firewall (WAF) is critical. Device fingerprinting, CAPTCHA, IP rate-based detection, in-session detection and terminations JavaScript challenge is also important.

    In addition to these steps, network operators should apply two-factor authentication where eligible and monitor dump credentials for potential leaks or threats.

    About the Author

    Nikhil Taneja is a highly successful and rewarding career of 24 years in the IT industry. Having worked in organizations such as Wipro, Digital equipment corporation – Compaq, Cabletron Systems, Radware (since April 2002 joining as Country Head – India & SAARC Operations) before taking on the reigns of Radware in India and growing the business many folds across other regions such as SAARC and Middle East.

    nikhil taneja radware


    ELE Times Research Desk
    ELE Times Research Desk
    ELE Times provides a comprehensive global coverage of Electronics, Technology and the Market. In addition to providing in depth articles, ELE Times attracts the industry’s largest, qualified and highly engaged audiences, who appreciate our timely, relevant content and popular formats. ELE Times helps you build awareness, drive traffic, communicate your offerings to right audience, generate leads and sell your products better.

    Technology Articles

    Popular Posts

    Latest News

    Must Read

    ELE Times Top 10