Credential stuffing, a form of access-related cybercrime, is on the rise and shows no signs of slowing down. Between January 2018 and December 2019, there were 88 billion credential stuffing attacks, according to an Akamai survey.
Credential stuffing is a form of cyberattack in which compromised account credentials are used to obtain unauthorized access to user accounts through large-scale automatic login requests directed towards a web application, usually consisting of lists of usernames and/or email addresses and the corresponding passwords (often from a data breach). Credential stuffing attacks, unlike credential hacking, do not try to brute force or guess any passwords. Using standard web automation software like Selenium, cURL, PhantomJS, or tools built especially for these types of attacks like Sentry MBA, SNIPR, STORM, Blackbullet, and Openbullet, the intruder easily automates the logins for a significant number (thousands to millions) of previously discovered credential pairs.
Since many users repeat the same username/password combination across different pages, credential stuffing attacks are likely. According to one poll, 81 percent of users have reused a password across two or more sites, and 25% of users use the same password across a number of their accounts.
OpenBullet is a free web-testing tool that allows users to make particular requests on specific web pages. The open-source tool is available on GitHub and can be used for a variety of activities, including data scraping and sorting, automatic penetration testing, and Selenium unit testing.
For legitimate reasons, such as penetration testing, the app allows users to try several "login:password" variations as credential brute-force attacks on various websites. Cybercriminals, on the other hand, will use it to find legitimate passwords on various websites for nefarious purposes.
A user can import prebuilt configuration files or configs into OpenBullet, one for each website to be checked. It also has a modular editor for making changes to configurations as desired. This is a required function since websites also make minor changes to the way users link to them in order to combat automatic tools like OpenBullet. OpenBullet's GitHub profile, for example, has a note that the tool should not be used for credential stuffing on websites that the user does not own.
The Federal Trade Commission (FTC) released an advisory in 2017 advising businesses about how to combat credential stuffing, including requiring safe passwords and preventing attacks.