Credential stuffing (Credential Stuffing) is a hacker who collects leaked user and password information on the Internet, generates a corresponding dictionary table, and tries to log in to other websites in batches to obtain a series of users who can log in . Many users use the same account and password on different websites, so hackers can try to log in to website B by obtaining the user's account on website A, which can be understood as a credential stuffing attack.
Crash databases can be protected by big data security technologies, such as using data assets to sort out sensitive data, using database encryption to protect core data, and using database security operations to prevent operations and maintenance personnel from crashing database attacks.
Background
With the development of technology and the popularity of the Internet, user data leakage has always been a focus in today's Internet world.
From the recent smear incident of an online e-commerce company, to the previous leak of user data in a hotel, service providers and hackers have been engaged in a protracted offensive and defensive battle on the stage of user data.
For most users, credential stuffing may be a very professional term, but it is relatively simple to understand. Crash stuffing is a boring "prank" for hackers, and it is also an attack technology that is ahead of the times. Hackers collect information that has been leaked from the Internet. User account and password information, generate corresponding dictionary tables, and after trying to log in to other websites in batches, a series of users who can log in are obtained. This kind of attack is one of the most helpless forms of attack for Internet security maintenance personnel. Information leakage, account Security Network security has undoubtedly become the most concerned issue of the public.
Crash database and social engineering database are also a product of the combination of hackers and big data. Hackers integrate and analyze leaked user data, and then form an attack method after centralized archiving. "Credential stuffing attack" is a major risk that is common in online transactions.
operating procedures
When it comes to "crashing the library", we have to say "drag the library" and "wash the library".
figure 1
In hacker terminology, "drag library" refers to the behavior of hackers invading valuable network sites and stealing all registered users' data databases. Because of the homonym, it is also often called "pants removal". 360's library belt plan , It is named after the white hat that rewards the submission of vulnerabilities. After obtaining a large amount of user data, hackers will use a series of technical means and black industry chains to cash in valuable user data, which is often referred to as "library washing" . In the end, the hacker will try to log in the obtained data on other websites, which is called "crash stuffing", because many users like to use a unified username and password, "crash stuffing" can also make hackers a lot of money.
"Credential stuffing" is a hacking method. Hackers will collect information such as user names and passwords that have been leaked on the Internet, and then use technical means to go to some websites to "try" to log in one by one, and finally "try" some user names and passwords that can be logged in by "bumping the luck".
Figure 1 on the right shows the activities of hackers in the three links of "unloading", "washing" and "crashing".
famous case
Taking the previous leak as an example, first of all, the database was not leaked. Hackers just "coincidentally" obtained some user data (username and password) through the method of "collision library", and this method can deal with almost any website login system. Users use the same user name and password when logging in to different websites. A password is equivalent to assigning yourself a "master key". Once lost, the consequences can be imagined. Therefore, preventing collisions is a protracted battle that requires the participation of users.
On December 25, 2014, user information on the 12306 website went viral on the Internet. In this regard, the 12306 official website stated that the user information leaked online was leaked through other websites or channels. It is reported that no less than 131,653 pieces of user data were leaked this time. This batch of data is basically confirmed to be obtained by hackers through "credential stuffing attacks".
It was reported on June 5, 2018 that the People's Procuratorate of Yuhang District, Hangzhou City, Zhejiang Province prosecuted Tan XX for illegally obtaining computer information data, and Ye XX and Zhang XX for providing data intruding into computer information systems. On May 21, 2018, the Yuhang District People's Court made a verdict on the case. The defendant, Tan Moumou, was sentenced to three years in prison, suspended for four years, and fined RMB 40,000 for the crime of illegally obtaining computer information system data. Defendant Ye Moumou was sentenced to three years in prison, suspended for four years, and fined RMB 40,000 for the crime of providing programs for intrusion into computer information systems; defendant Zhang Moumou was guilty of providing programs for intrusion into computer information systems, He was sentenced to three years in prison, suspended for three years, and fined RMB 30,000. It is reported that this is the first case in the country for the case of credentialing and coding. The court fully accepted the prosecution opinion of the procuratorate.
Reposted from: Crash Library_Baidu Encyclopedia