Credential stuffing is a critical exploitation technique. As per the
published statistics, between 1 January 2018 and 31 December 2019 there were more than 88 billion credential-stuffing attacks across all industries. On 26 March 2020, a video media service in Europe experienced a strong spike in attacks, reaching 348,050,675 malicious login attempts in 24 hours. On 17 August 2020 the Canadian Revenue Agency portal was
directly targeted with a large amount of traffic using a botnet to attempt to attack the services through credential stuffing. The attack led to the compromise of 11,000 out of 12 million personal accounts.
In this presentation, we share our research on using deception to detect credential-stuffing bots. Credential-stuffing bots can either scrape the website's login page, submit the login form with the compromised credentials, or use login APIs to provide compromised credentials. To scrape the victim's page, some of the libraries used by bots are mechanical soup, phantom js, and selenium headless browsers. In such a scenario where bots scrape the victim's login page, breadcrumbs or lures on the web page can divert the traffic of bot to deceptions. In the presentation, we first share the analysis of various credential-stuffing bots, which then lays the foundation for the design of breadcrumbs, which can be dynamically injected to the website to detect credential-stuffing bots.
Traditionally, deception-based technology involves using statically placed breadcrumbs and lures to divert the traffic generated by the malware or threat actor for detection. In this presentation, we will also introduce just-in-time deception. Just-in-time deception leverages instrumented applications, and upon the occurrence of an event, it will inject breadcrumbs. Once these breadcrumbs are accessed, the traffic is analysed by the detection algorithm for the detection of the credential-stuffing bot. The design of the algorithm will be shared in the presentation.
Finally, we conclude by sharing the results of our study. Our study shows that deception-based detection is not only highly effective in detecting bots that scrape websites and submit stolen login and passwords, but it also provides the inherent advantage of detecting bots on the first attempt at exploitation.