Credential Abuse

Credential abuse is the deliberate theft and use of stolen username and password to access sensitive or high-value data for personal gain, espionage, or other malicious intent.

Threat Description

As they pertain to web applications, credential abuse attacks typically incorporate the following elements, usually in this order:

  1. Harvest Credentials: Hackers purchase or otherwise gather account credentials harvested from various data breaches.
  2. Test Credentials: Taking advantage of bot networks and hiding behind anonymizing systems (e.g., proxy servers and Tor relays), they then “probe” accessible web applications to find accounts where the stolen credentials work.
  3. Gain Access: With usable credential-account pairs in hand, the hackers can pass right through most perimeter and access control defenses by posing as authorized users of the target applications and services.
  4. Steal Assets. Depending on the nature of the compromised accounts/applications, they can pursue a wide variety of deleterious activities, such as transferring money, cancelling services, viewing sensitive medical information, or even stealing additional credentials.

Alternately, hackers can skip the ‘test credentials’ step by using man-in-the-browser, keylogging trojans, and other types of credential harvesting attacks to directly obtain usable credential-account pairs from unwitting users with compromised devices.

Credential Abuse Mitigation Methods

Credential Intelligence

Detects credential stuffing using stolen credentials and weak passwords by,

  1. Repeated login failures trigger checks against repositories of stolen credentials, weak passwords and privileged account passwords
  2. Successful match against one of these repositories confirms a credential stuffing attack

Mitigation rules can be configured to alert and automatically block such clients

Device Intelligence

Detects risky devices based on device finger printing and suspicious behavior by,

  1. Device Profiling injects JavaScript to every device that attempts to log into the web application. The JavaScript profiles the device and identifies if it is a new or returning devices accessing the web application.
  2. Device Risk Evaluation: During the login process evaluate the device risk score of the device, based on its reputation (e.g., is it a jail broken device, is it using evasion techniques, or is it known to have associations with multiple accounts).
  3. Mitigation Rules: The device risk score is used to determine the mitigation action performed on a specific web-login attempt. The results of this mitigation rule determine the mitigation action – audit, alert or block.

Learn how Imperva solutions can help you mitigate credential abuse.

You might be interested in:

Reputation Intelligence

In an ideal world, every website is safe. No one is trying to steal your access credentials or…

Learn More

SQL Injection

SQL injection (SQLi) is an attack that inserts malicious, client-supplied data (sometimes referred to as a malicious payload)…

Learn More