Attacker Economics and the Lure of Credential Stuffing

Carlos Asuncion Miniatura
Carlos Asuncion
Published March 16, 2021

All businesses are guided by a cost-benefit analysis of their work. It’s the same for money-motivated online fraudsters. 

To operate profitably, cybercriminals need to devise systems that bring in more money than they spend on conducting the attacks.

There are two key factors influencing this calculation: the cost of operations and the changing security landscape. And costs are falling fast, which means hackers can spend a few hundred dollars to mount attacks with the potential to draw back millions of dollars.

As a result, we’re seeing credential stuffing become an increasingly popular and prevalent method of online fraud. Indeed, F5 Labs and Shape Security research recently reported that credential spill incidents nearly doubled from 2016 to 2020.

Credential stuffing entails hackers acquiring usernames and passwords at ultra-low prices (sometimes for free) from easy-to-access sources. They then use custom-built or off-the-shelf software to automate the login process across millions of user accounts on hundreds of websites. They do this hoping that, for example, someone’s Facebook password might double as their Internet service provider account login or even their bank account login. The traffic is distributed globally to avoid suspicion and, with another small investment, hackers can also defeat basic automated defenses such as the Completely Automated Public Turing (CAPTCHA) test by outsourcing to CAPTCHA-solving plugins or services.

At Shape Security, we estimate the cost of 100,000 account takeover attempts at roughly $200, including the necessary software, network proxies, and stolen credentials. Success rates typically range from 0.2 to 2%. Successful takeovers are then sold on various forums and markets for between $2 and $150, equating to a return of between 100 and 150,000% or even more. That adds up to a financial return of between $200 and $300,000-plus.

Unfortunately, many organizations still focus heavily on fending off bot attacks by using IP address or User-Agent string blocking, which quickly devolves into an anxiety-inducing and futile game of Whack-a-Mole. Instead, the emphasis should be on eliminating the value proposition for attackers to attack your digital properties.

Pricing the Fraudsters out of Business

For businesses, this means improving their defenses to such an extent that it is too costly for hackers to beat them. A real-world criminal will always target an open window rather than buy expensive tools to pick the lock of a solid door. The rules are the same for virtual properties.

The best method is to deploy a series of measures that force fraudsters back to the cost-incurring stages of their attacks. If this happens too many times, the cost-benefit analysis swings away from them and expenditure eventually outweighs any potential return. David Bianco introduced a concept back in 2013 called the Pyramid of Pain and it holds true when it comes to mitigating credential stuffing attacks with long-term efficacy. Engaging in Whack-a-Mole with IP addresses and User-Agent strings, which sit at the bottom of the pyramid, is futile. It is better to focus efforts higher up the pyramid and mitigate fraudsters’ tools and TTPs (tactics, techniques, and procedures). In other words, continually frustrate your adversary and force them to go elsewhere.

To get it right, you need to figure out how much it actually costs to attack your web and mobile properties. If you don’t know how much it costs, you don’t know what kind of friction and interdiction to put in place. Once you’ve done that, it is time to initiate a three-point plan.

First, address weak spots by auditing your network exposure to remove all low-hanging fruit. This creates a minimum barrier which attackers must overcome. For example, analyze your web application authentication pages and make sure you are not providing unnecessary feedback that may be helpful to fraudsters. Password reset pages are a common example here. Saying something like “sorry, that account does not exist, please try again” actually helps fraudsters. It tells them which accounts are valid on your site and which are not, thus improving the accuracy and efficiency of any subsequent credential stuffing attacks. A better response message would be, “we have received your password reset request. If this account exists, a password reset email will be sent to you”.

Next, perform penetration testing on your own organization’s web and mobile apps to understand how easy or hard it is to compromise them to commit fraud. This process should be guided by evidence and not by gut feeling. It will help you build a toolbox of defenses that mirror likely attempts to beat your security measures.

Remember, the goal posts are always moving. The tools available to criminals improve by the day, so the third step is to regularly update and upgrade your security controls to keep pace with the ever-evolving risk landscape. This can include security analysts (in-house or contract) putting on their red team hats in order to stay plugged into the latest attack vectors and tools discussed on the dark web and fraud forums. Bug Bounties may also be a solution to identify control gaps or new ways to circumvent existing controls before the fraudsters can find and abuse them.

Remember, credential stuffing is cheap and easy, so it makes strong economic sense for fraudsters who pocket millions every year from the crime. Don’t make it easy for them!

For additional perspectives on threat intelligence and cybersecurity, visit and