6 days ago
Paradigm Shift In Credential Stuffing Attacks: Radware Report
Radware has released a new research report—The Invisible Breach: Business Logic Manipulation and API Exploitation in Credential Stuffing Attacks. The report reveals a paradigm shift in credential stuffing attacks. It underscores a fundamental transformation from volume-based attacks leveraging a series of repeated password attempts to sophisticated, multi-stage infiltration techniques.
'To bypass traditional defenses, modern credential stuffing attacks are shifting away from traditional password-spraying techniques in favor of business logic manipulation, cross-platform device spoofing, and strategic API exploitation,' said Arik Atar, senior cyber threat intelligence researcher at Radware. 'The message for defending organizations is clear. To match this new reality, they must move beyond credential-centric controls to adopt security strategies that validate entire user journeys, correlate cross-request behavior, and detect suspicious patterns in business logic flows.'
Radware's research examined 100 advanced credential stuffing configurations deployed through a well-known account takeover tool called SilverBullet.
Advanced attack methodologies Business logic attacks: 94% of configurations implement four or more business logic attack elements, with 54% demonstrating advanced orchestration, using 13+ distinct techniques.
API exploitation: 83% of configurations contain explicit API-targeting techniques.
Multi-device spoofing: 24% of attack scripts alternate between two device types during execution, with 71% employing cross-platform transitions, primarily between iOS and Windows.
Primary targets Industries: Technology/SaaS emerged as the primary target sector (27%), followed by financial services/government (16%), and the travel/airline (13%) sectors.
Online tools: There is a significant shift toward high-value AI tools (44% of all technology targets), potentially exploited by spammers who engage in account cracking to create large-scale phishing content. In addition, corporate tools (30%), including Microsoft 365, OneDrive, and Outlook, are likely targets for ransomware groups pursuing initial access to organizational systems.
Centralized threat landscape Concentration: 51% of the analyzed configurations, randomly collected over six months, were written by just three advanced threat actors: SVBCONFIGSMAKER, and @Magic_Ckg.
Specialization: Each threat actor had over two years of operational experience in distinct areas of specialization, including AI platform authentication bypass, mobile API exploitation, and Microsoft cloud services.
