Page 158 - Cyber Defense eMagazine September 2025
P. 158

The Evolution of Credential Stuffing Beyond "Just Bots"

            In the past, credential stuffing involved using speed bots to brute force login forms with compromised
            usernames and passwords.

               •  They were frequently prevented by security measures like IP blacklisting, velocity checks, and
                   CAPTCHA.
               •  The New World with AI: AI-powered bots dynamically modify attack velocity, device fingerprints,
                   and session patterns through reinforcement learning.
               •  Attackers repurpose tools such as open-source machine learning libraries to teach bots to "look"
                   like actual users.
               •  Credential  stuffing  campaigns  now  circumvent  MFA  by  taking  advantage  of  push  notification
                   fatigue or weak SMS-based factors (also known as "MFA bombing").



            Real-world illustration:

            An AI-driven attack against a multinational retail behemoth in 2023 involved bots that mimicked human
            shopping  behavior  by  rotating  IP  addresses  across  mobile  networks,  simulating  device  orientation
            sensors, and even varying login attempts over several weeks. There was nothing unusual in the IAM
            logs. The fraud bill? Chargebacks and account takeovers totaling more than $20 million.



            The Business Impact: The Importance for CEOs and Boards

            Credential  stuffing  is  more  than  just  an  IT  annoyance  to  a  CEO  or  board  member.  There  are
            repercussions from this business continuity risk:

               •  Brand Damage: Even if credentials originated from another breach, the victim always holds the
                   company accountable when a user account is compromised.
               •  Fraud  Costs:  Mostly  as  a  result  of  credential  stuffing,  airlines  report  $750  million  in  loyalty
                   program fraud each year.
               •  Operational Disruption: Calls for password resets and fraud investigations overwhelm customer
                   support teams.
               •  Regulatory Penalties: In accordance with the GDPR/CCPA, there may be fines for neglecting to
                   protect customer accounts, even from credentials that are reused.

            For instance, Nintendo acknowledged in 2020 that a credential stuffing campaign had compromised
            160,000 accounts. Parents and regulators were outraged when the attackers targeted children's accounts
            for stored credit card data.










            Cyber Defense eMagazine – September 2025 Edition                                                                                                                                                                                                          158
            Copyright © 2025, Cyber Defense Magazine. All rights reserved worldwide.
   153   154   155   156   157   158   159   160   161   162   163