Blog, Events & News

Uncovering Bots in eCommerce Part 4: The Impact of Credential Stuffing

By Netacea / 01st Jul 2020

On 14th May we hosted a live webinar, in which Scott Pendlebury – Head of Threat Research at Netacea – discussed credential stuffing and the growth of online fraud in the eCommerce industry.

What is credential stuffing?

Credential stuffing is one of the most common forms of online crime, it is the act of testing stolen passwords and usernames against website login forms, to validate the credentials for malicious reuse. Once a match is found, the attacker can easily commit various types of fraud.

When credentials are stolen through a database breach, malware, or other means, they are kept for use in future attacks against many different targets. Many of these lists are shared privately amongst attackers or become publicly available.

Scott said: “Attackers are innovative, they are always thinking of new ways they can monetise breached accounts.”

There are several common signs that bot activity has occurred, such as the number of login attempts and failures from unusual locations, uncommon traffic patterns and speed.

What fuels credential stuffing?

Credential stuffing is an ever-growing problem, in the UK alone 53% of all fraud committed is online. These types of attacks are becoming ever cheaper to conduct.

Bot tooling and automation software can be free to use, making it easier for automated credential stuffing attacks. In some cases, attackers can gain something for nothing. Scott said: “You could potentially stage a credential stuffing attack for free.”

Whilst credential stuffing has likely been around for quite some time, large collections of credentials have been made public over the last few years, make it easier for attackers to start partaking in credential stuffing for minimal effort.

How does credential stuffing affect eCommerce?

Credential stuffing is easy to perform, so its popularity with cybercriminals will continue to increase with time.

We know that cybercriminals take over accounts and perpetrate a fraud on eCommerce companies and their customers. When a business suffers from stolen credentials, it can cost them severely, with attackers able to make illegal purchases, claim existing rewards or loyalty points and acquire personally identifiable information (PII).

It is vital that credential stuffing attacks are stopped to protect eCommerce websites from fines and chargebacks while securing customers against the threat of data breaches.

If you missed our live webinar, you can still watch it on-demand: Uncovering bots in eCommerce.