Every year, millions of people have their credentials stolen by cybercriminals. Criminals use simple techniques such as phishing to manipulate people into giving up their usernames and passwords. This can lead to major assets being compromised or stolen. Unfortunately, criminals know that many individuals reuse the same passwords or variations of the same password across many sites. Criminals use this information to test stolen passwords on other sites, which can be done on a massive scale. Such attacks can become life-threatening and destructive to many companies and individuals.
Given the leap in technological advancements over the last several decades, the need to protect data and assets stored electronically has spiked exponentially. This article will serve as a guide that companies can use to avoid the most common cyber threats such as credential stuffing, phishing, and malware.
CREDENTIAL STUFFING
Credential stuffing is now the “single largest source of account takeover and automated fraud on most online services.”^1 The Open Worldwide Application Security Project (OWASP) defines credential stuffing as “the automated injection of breached username/password pairs in order to fraudulently gain access to user accounts.”^7 Many cybercriminals know that if they can gain access to an account on one site, then their chances of breaching the same user’s account on other sites increase. Criminals follow methods like the one shown in the visual below when conducting a credential stuffing attack. When a company’s site suddenly experiences a higher volume of login attempts than usual, it is likely that they are being targeted by credential stuffing bots.
A recent study picked several sites and simulated a credential stuffing attack to obtain users’ passwords. The study stated that attacks like the one used in the study can compromise more than 16% of users’ credentials within one thousand guesses or less.^4 Credential stuffing attacks have become a massive threat to companies with users who log in and out of their sites daily.
Companies can prevent credential stuffing attacks by ensuring that users do not reuse passwords. When companies require users to change passwords periodically, the users are better protected from cybercriminal attacks. While setting passwords, users should be informed of the strength of each password before setting it.
Monte Carlo’s famous simulations prove that users who use strong password techniques are less susceptible to credential stuffing attacks.^4 Common suggestions to create a strong password are:
- Any special characters (@, #, &, $)
- A mixture of uppercase and lowercase letters (e.g., StronGpaSSwoRdShErE)
- A password length of eight or more characters is also recommended.
Another common suggestion for users attempting to make a strong password is to avoid using anything that can easily be found through social media. Cybercriminals will scan users’ social profiles looking for small details that could be used in passwords. Children’s names, pets’ names, and places users have lived should be avoided.
PHISHING
The more technological advances there are, the more susceptible companies become to cyber-attacks. Trust is vital to the success of a company; users must feel like they can trust the company they work for and vice versa. Phishing attacks attempt to manipulate users by leveraging the trust that already exists between the user and another party. These types of attacks are launched to steal account information, login credentials, and sensitive identity information.
A recent study took twenty-two participants and asked them to look at twenty different websites. The participants were then asked to select which sites they thought were fraudulent. Twenty-three percent of those participants overlooked browser-based cues such as the address bar, status bar, and security indicators. The study concluded that 40% of the time people will incorrectly identify the difference between real and fraudulent sites.^5
Users who are unable to identify the common differences put themselves and the companies they work for at risk. Consequently, it becomes increasingly important for a company to teach employees how to identify fraudulent emails and websites.
Criminals use a method very similar to the one outlined below to write phishing emails and publish fraudulent sites that leverage the trust established between users and a trusted third party. Phishing emails commonly claim to be from the user’s bank, employer, or any other affiliated website. These emails often include links to sites meant to steal one’s credentials. For example, a phishing email may include a link that says, “click here to reset your password.” These links take users to fraudulent websites that request the user to log in with their credentials, and from there, criminals can collect the user’s information for their gain.^3
For best practice, experts recommend that users pay special attention to the URL. For instance, the website URLs listed below initially look identical, but after examination, the two URLs will take users to different sites.^2
www.paypai .com
VS
www.paypal .com
Another helpful hint for users is to examine the email address of the sender. It is easy for a criminal to mimic senders with a look-alike email alias. Cybercriminals use look-alike email addresses and websites to manipulate users into sharing information. Employers that teach employees what to look for in fraudulent websites and emails are less likely to fall prey to a phishing attack.
MALWARE
Malware is among the most common cybersecurity threats. These attacks can not only be catastrophic for an individual user but for an entire company. One of the biggest goals for any good company is to protect the information of its users. Companies achieve this goal through various cybersecurity plans and action steps. Malware becomes especially detrimental to users who are unaware of its presence. Malware is short for malicious software and is used as a term to refer to any software designed to infiltrate or damage a computer system without the owner’s informed consent.^6 Given the wide range of definitions, malware exists in numerous forms. As shown in the visual below, common examples include computer viruses, worms, Trojan horses, rootkits, adware, spyware, and any other unwanted and malicious software.
Anyone who owns or uses a computer is at risk of a malware attack. Companies that deal with users’ sensitive information must teach employees how to identify and prevent malware attacks. Most malware enters a computer through links that users click and begin to download without their consent. Computers infected with malware tend to experience program crashes, pages loading slowly, and other technical difficulties. Users that experience such effects are likely to have been infected with malware.^6 Suggested methods for the prevention of malware attacks include using third-party antivirus applications that regularly scan users’ devices for potential threats. Companies that use and require antivirus applications on employees’ computers will effectively reduce the number of malware attacks within their organizations.
CONCLUSION
The threat of cyberattacks increases as technology evolves. Implementing methods to prevent these attacks is essential to the workplace. Fortunately, many companies are already aware of the importance of cybersecurity. The most common cyberattacks include credential stuffing, phishing, and malware attacks. To avoid credential stuffing, password protection is essential. As technology continues to advance, the importance of strong and secure passwords becomes crucial in the prevention of credential stuffing attacks. Prevention against phishing attacks falls on the user’s ability to make decisions in the workplace.
Carefully examining what an email contains and who the email came from will help prevent the chance of falling prey to a phishing attempt. Malicious software comes in many forms, and it can cause significant damage without the user ever knowing. In addition to using third-party antivirus applications, being cautious of the files users share and download can help prevent malware attacks. Trust continues to be vital in the performance of a company. Maintaining trust between the consumer and the company must include a plan and a promise that the company will keep the consumer’s information safe. Employers who educate their employees on common cyber threats effectively decrease their chances of being corrupted through unavoidable attacks.
As the advancement of technology moves forward, more sensitive information will be stored electronically, thus increasing the need for cybersecurity. By applying the methods discussed in this article, companies and their consumers will be better prepared to face the most common cybercriminal attacks.
Notes
1. Shape Security, *Online Retail Threats Shape Security* (Aug. 2018) [Shape Security Report](https://info.shapesecurity.com/rs/935-ZAM778/images/ShapeSecurity_Retail_eBook_CredentialStuffing.pdf)
2. Magid, Larry “Why Cyber Security Matters To Everyone” (Oct. 2014). Forbes Media [Forbes Article](https://www.forbes.com/sites/larrymagid/2014/10/01/why-cyber-security-matters-to-everyone/#5ce802c95a71)
3. Singer P. & Friedman A. (2014), *Cybersecurity: What Everyone Needs to Know*, Oxford University
4. B. Pal, T. Daniel, R. Chatterjee and T. Ristenpart, “Beyond Credential Stuffing: Password Similarity Models Using Neural Networks,” 2019 IEEE Symposium on Security and Privacy (SP), San Francisco, CA, USA, 2019, pp. 417-434.
5. WWW ‘07: Proceedings of the 16th International Conference on World Wide Web, May 2007, Pages 649–656 [DOI: 10.1145/1242572.1242660](https://doi.org/10.1145/1242572.1242660)
6. Jarno N., Mikko H., Santeri K., *Malware Protection*, 2018, pp. 1-30
7. “Credential Stuffing.” *Credential Stuffing Software Attack* | OWASP Foundation. Accessed November 28, 2021. [OWASP Credential Stuffing](https://owasp.org/wwwcommunity/attacks/Credential_stuffing)
8. “Credential Stuffing Threats Facing the Ecommerce Industry ...” Accessed November 28, 2021. [RSA Conference Article](https://www.rsaconference.com/library/blog/credential-stuffing-threats-facing-the-ecommerce-industry-this-holiday-season)