Credential abuse is the deliberate theft and use of stolen username and password to access sensitive or high-value data for personal gain, espionage, or other malicious intent.
As they pertain to web applications, credential abuse attacks typically incorporate the following elements, usually in this order:
- Harvest Credentials: Hackers purchase or otherwise gather account credentials harvested from various data breaches.
- Test Credentials: Taking advantage of bot networks and hiding behind anonymizing systems (e.g., proxy servers and Tor relays), they then “probe” accessible web applications to find accounts where the stolen credentials work.
- Gain Access: With usable credential-account pairs in hand, the hackers can pass right through most perimeter and access control defenses by posing as authorized users of the target applications and services.
- Steal Assets. Depending on the nature of the compromised accounts/applications, they can pursue a wide variety of deleterious activities, such as transferring money, cancelling services, viewing sensitive medical information, or even stealing additional credentials.
Alternately, hackers can skip the ‘test credentials’ step by using man-in-the-browser, keylogging trojans, and other types of credential harvesting attacks to directly obtain usable credential-account pairs from unwitting users with compromised devices.
Credential Abuse Mitigation Methods
Detects credential stuffing using stolen credentials and weak passwords by,
- Repeated login failures trigger checks against repositories of stolen credentials, weak passwords and privileged account passwords
- Successful match against one of these repositories confirms a credential stuffing attack
Mitigation rules can be configured to alert and automatically block such clients
Detects risky devices based on device finger printing and suspicious behavior by,
- Device Risk Evaluation: During the login process evaluate the device risk score of the device, based on its reputation (e.g., is it a jail broken device, is it using evasion techniques, or is it known to have associations with multiple accounts).
- Mitigation Rules: The device risk score is used to determine the mitigation action performed on a specific web-login attempt. The results of this mitigation rule determine the mitigation action – audit, alert or block.
Learn how Imperva solutions can help you mitigate credential abuse.