Be Aware: Your Online Services May Be Suffering from Credential Stuffing Attacks

Featuring Dan Woods, Vice President of the Shape Intelligence Center with Shape Security, now part of F5 Networks.

There actually are nation states launching aggressive attacks against a lot of American interests, and we know this because the criminal organizations are largely interested in money. But when you have highly sophisticated attacks logging into bank accounts but not monetizing, not stealing anything, you think about what would cause that?
When I was at the Bureau, if I had access to bank accounts, it told me a lot about the individual. I mean, a lot. I knew where they shopped, I knew where they traveled: I knew a lot about them. So a lot of this is intelligence gathering, I think, by nation states. What if they were getting into my hotel account, they'd see where I'm staying. If they get in my airline account, they'll see where I'm traveling. We can always tell them because they're highly, highly sophisticated. They don't appear to be motivated by money but instead by gathering intelligence.
It's quite typical that an enterprise grossly underestimates the size and scope of the problem, and the reason why is these attacks are now coming from millions of IP addresses. They don't come from a dozen IP addresses, they come from millions, and security operations centers across the globe, really, have become quite comfortable identifying attack traffic based on volume of transactions. For my piece, web application firewalls, you know, they can typically identify the top 20, 30, maybe even the top 100 noisiest IPs, but they miss the long tail of millions of IPs that have maybe 10 or 20 transactions each, because they don't reach the volume to trigger any thresholds.