In recent months, credential stuffing attacks have hit a number of Australian businesses, leading to compromised accounts, fraudulent purchases, and customer complaints. The pattern is a reminder that account protection cannot stop at password policy or MFA alone.
A Case Study in Credential Stuffing
Security researcher Jacob Larsen has documented a credential stuffing operation targeting Australian businesses. Larsen's research, detailed in his blog post, describes the activity of a threat actor known as "Crabby," who has sold compromised Australian accounts since July 2023.
Larsen's findings show:
- The operation began with a threat actor called "Based" selling compromised accounts via Discord and dedicated websites.
- In November 2023, the operation was acquired by "Juicy," a notorious account vendor, and rebranded as "Crabby."
- As of May 2024, over 19,000 compromised accounts from various Australian brands were offered for sale.
- Low-level fraudsters purchasing these accounts have used them to make unauthorised purchases, often targeting high-value items for resale.
The Crabby operation shows how credential stuffing has moved beyond isolated login attempts. It now includes account marketplaces, low-level fraud buyers, and the challenges businesses face once compromised accounts are monetised.
The Difficulty of Defense
Credential stuffing defence is harder when attacks are spread across residential proxies and kept to single attempts per account.
Residential Proxies: The Invisible Threat
Residential proxies weaken traditional IP-based controls. These proxies use IP addresses assigned to real residential internet connections, so malicious traffic can look like normal customer traffic. That helps attackers bypass simple rate limiting and geolocation checks.
That distribution makes login traffic harder to classify. Signals such as a high volume of attempts from one IP address become less useful when attackers can spread requests across a pool of residential IPs.
Single-Hit Attacks: Precision Strikes
Single-hit attacks are another way attackers avoid noisy patterns. In this approach, each stolen credential is used only once per target site, reducing the chance of detection by traditional rate-limiting or anomaly detection systems.
By limiting each credential to one attempt, attackers avoid controls tuned to repeated login failures. A business can have rate limiting in place and still miss credential stuffing that never crosses those thresholds.
The Mobile API Conundrum
As mobile applications become a primary user interface, credential stuffing also moves into mobile API traffic. Traditional bot protection often relies on JavaScript challenges or browser fingerprinting, which does not apply cleanly to attacks against mobile APIs.
Mobile applications typically communicate with backend services via APIs, bypassing the browser environment where many bot detection techniques run. This creates several challenges:
-
Lack of JavaScript Execution: Mobile APIs don't execute JavaScript, making it impossible to use browser-based bot detection techniques.
-
Limited Fingerprinting Capabilities: Standardised mobile API requests make it difficult to distinguish between legitimate user activity and automated attacks based on request characteristics.
-
Increased Attack Surface: More mobile apps means more potential entry points for attackers, making comprehensive protection more complex.
-
Authentication Simplification: To improve user experience, mobile apps often use simplified authentication flows, which can create weaker controls against automation.
This gap needs API-centred controls that can assess mobile login behaviour without relying on browser-only signals.
Framing Credential Stuffing as a Business Risk
Credential stuffing should be treated as a business risk, not just an authentication issue. The impact can include refunds, chargebacks, customer support load, reputational damage, and regulatory disclosure work.
Risk Quantification and Disclosure
Risk quantification gives security teams a way to explain credential stuffing in business terms. By applying frameworks like FAIR (Factor Analysis of Information Risk), businesses can:
- Quantify the potential financial impact of credential stuffing attacks.
- Prioritise security investments based on risk reduction potential.
- Communicate the importance of cybersecurity measures to non-technical stakeholders.
CPS 234 in Australia adds a disclosure dimension for regulated entities. Businesses need to protect against credential stuffing and be able to explain their exposure, controls, and mitigation strategy.
The State of Credential Stuffing Defense in Australia
Our recent survey of Australian businesses shows uneven adoption of credential stuffing defences:
- While 77% of respondents use Multi-Factor Authentication (MFA), only 40% have implemented bot protection measures.
- 15% of companies chose not to respond to questions about their security measures, suggesting potential gaps in protection.
- Just 29% of businesses check credentials against known breaches, leaving a large window of opportunity for attackers using stolen credentials.
- Only 15% of organisations use residential proxy detection, a critical component in identifying and mitigating modern credential stuffing attacks.
These results suggest a gap between how credential stuffing is run now and the controls many Australian businesses have in place.
Recommendations for Enhanced Protection
Based on our analysis and survey results, businesses should review the following controls:
-
Implement Advanced Bot Protection: Deploy controls that detect and mitigate bot attacks, including attacks using residential proxies.
-
Enhance Mobile API Security: Use mobile API controls that focus on anomaly detection and behavioural analysis rather than browser-based techniques.
-
Adopt Risk-Based Authentication: Implement dynamic authentication mechanisms that adjust based on the assessed risk of each session or transaction.
-
Utilise Breached Credential Databases: Check user credentials against known breach databases and enforce password changes for compromised accounts.
-
Implement Residential Proxy Detection: Use technology that identifies and mitigates traffic from residential proxy networks. This is a key control for modern credential stuffing attacks.
-
Apply Advanced Rate Limiting: Utilise device fingerprinting and other identifiers beyond IP addresses to implement more effective rate limiting, particularly for single-hit attacks.
-
Employ Contextual Security: Use signals such as user behaviour patterns, device characteristics, and historical usage to identify anomalies that may indicate credential stuffing attempts.
-
Quantify and Communicate Risk: Use frameworks like FAIR to quantify the potential impact of credential stuffing attacks and communicate this risk to stakeholders.
-
Implement Continuous Monitoring: Deploy real-time monitoring that detects patterns indicative of credential stuffing attacks, and update defences as attack methods change.
These controls address the specific problems created by residential proxies, single-hit attempts, mobile API traffic, and weak credential hygiene. They also reflect the limits of IP-only rate limiting and browser-only bot detection.
Credential stuffing defence works best as a layered programme: bot detection, residential proxy detection, breached credential checks, mobile API coverage, and risk reporting. The practical goal is to stop account takeover attempts earlier, reduce fraud exposure, and give security teams evidence they can act on.
