DNS Poisoning Getting Serious – Phishing from Open Recursive DNS Servers

December 17, 2007

[ad]

A new generation of phishing attacks is being studied jointly by Google and Georgia Institute of Technology, it seems the bad guys are getting some smarter ideas.

They are using Open Recursive DNS servers to poison DNS queries and return false information, thus luring consumers to even more realistic phishing domains.

Researchers at Google and the Georgia Institute of Technology are studying a virtually undetectable form of attack that quietly controls where victims go on the Internet.

The study, set to be published in February, takes a close look at “open recursive” DNS servers, which are used to tell computers how to find each other on the Internet by translating domain names like google.com into numerical Internet Protocol addresses. Criminals are using these servers in combination with new attack techniques to develop a new generation of phishing attacks.

The scary thing about this is, you could end up at Paypal.com or HSBC.com and the site could look exactly the same, but you could actually be connected to some Russian phishers web site…and you wouldn’t even know.

Unless of course you check the SSL certificate whilst using the https version, but come on – how many average Joes would do that?

The Georgia Tech and Google researchers estimate that as many as 0.4 percent, or 68,000, open-recursive DNS servers are behaving maliciously, returning false answers to DNS queries. They also estimate that another two percent of them provide questionable results. Collectively, these servers are beginning to form a “second secret authority” for DNS that is undermining the trustworthiness of the Internet, the researchers warned.

“This is a crime with few witnesses,” said David Dagon, a researcher at Georgia Tech who co-authored the paper. “These hosts are like carnival barkers. No matter what you ask them, they’ll happily direct you to the red light store, or to a Web server that does nothing more than spray your eyeballs with ads.”

Oh well, another scam to look out for and another threat to monitor. Something else for us to educate the masses about, and some more ammo for us to scare people with.

It’s not all bad – is it?

Source: PC World

Buffer

Comments

goodpeople says

December 17, 2007 at 10:44 am

I don’t agree with Darknet. This is _very_ bad. Actually I think this is scarier than “Microsoft Euro Disney McLand”.

Without DNS, there’s no Internet. If they manage to pollute DNS databases, and the article suggests that they already have, then I’m afraid that internetbanking will take a serious blow in popularity.

On the other hand it presents a nice technological challenge. What will we see next.. webservers that connect back to the clients?
Sir Henry says

December 17, 2007 at 10:48 am

Educating the average Joe on things like this is bound to get a blank/confused look in response. I agree, we have to get the word out there, but try explaining to you mom (who knows the internet as “clicking the blue e”) that she has to check SSL certs and what could happen is she doesn’t. To the layperson, if they see paypal or amazon, that is all they care about in the short term. What I would like to know is if there were some sort of DNS authentication probe out there that identified the good from the bad to assist all users.
mumble says

December 17, 2007 at 11:36 am

There are steps that can be taken on the DNS server to prevent this type of attack, but short of DNSSEC, I can’t think of a single one which wouldn’t allow a malicious person to stop all traffic from X company to http://www.y-company.com... It wouldn’t be too hard to build an IDS setup for this, but again – this wouldn’t solve the core problem.

For our clients – the best answer is to have them run their own recursive resolver using a known good copy of the root.hints file. Setting laptops to use a known-good or at least known-better recursive DNS and avoid the one given by DHCP might be good, but isn’t always possible – since some sites don’t allow DNS across the firewall – and that creates support problems. It’s possible to write a client program to handle this case, but it isn’t trivial.

From what I can see, the people most at risk are home users, who sure as heck aren’t running their own resolver (present company excepted).
Pedro Pinheiro says

December 17, 2007 at 2:06 pm

Barring being served by DHCP a malicious DNS server (which might be impossible to control when you’re out and about), what would be the overhead of DNS software admitting the authority of a certain IP for a query by polling more than one DNS upstream? This would require a greater percentage of servers to be compromised to affect the validity of the result.
Pantagruel says

December 17, 2007 at 3:34 pm

I agree with goodpeople, this is more than just bad, this goes to the root of the internet and is about as bad no more crude oil for our fossil fuel driven society.

Sir henry has a point, this goes way beyond what average Jane/Joe can grasp. It’s already hard enough to teach some people to find out why page A is a phishing attempt and page B isn’t, I do NOT want to start explaining why DNS poisoning is super bad.

Pedro Pinheiro gets an A+ for vision, this indeed could amount to a dDos like situation where one DNS server is questioning another about the validity of the resolved address, second one in return will elicit a response and question towards another, etc…

The big question is how can this be resolved and is there away to protect the DNS servers from future stuff like this. Eventhought the 0.4% doesn’t sound as much, it will get some people into trouble.
cpj says

December 17, 2007 at 3:44 pm

wouldn’t it help to have the DNS servers ask each other if they get the same result? ie, if 1 out of 250 servers are corrupted, then it’s unlikely that 2 servers will agree if 1 of them is giving the wrong directions. so each request would cost twice as much bandwidth, but … safer?

or is this difficult to implement?
mumble says

December 17, 2007 at 3:55 pm

The problem described in the article amounts to feeding clients the equivalent of a bad /etc/resolv.conf file. This can be avoided in an enterprise environment by blocking DNS on the firewall, and forcing clients inside to use the company’s recursive resolver. Running your own resolver also prevents a lot of other attacks, such as upstream cache poisoning – so it’s a good idea anyway.

The real Haich Eee Double hockeysticks is in the laptop world – where the darned things keep being moved around and attached to different networks. There’s nothing which will prevent malware from changing the DNS settings, and (as bad) there’s nothing preventing an evil-intentioned person from making the dns servers in the DHCP response do anything they want them to. Fixing the enterprise stuff as above will help by breaking DNS at work (turning it into a support call), but there’s no easy fix I can see.

At first glance, I must admit I confused this flaw with another, almost as pernicious one.
Sir Henry says

December 17, 2007 at 3:57 pm

@Pantagruel:

I know that I will never be alone in regard to how frustratingly difficult it will always be to explain to the Average Joe what problems there are and how it can affect them.

@cpj:

I see what you are saying with that. I just have to wonder if in the process of authenticating/identifying one another, that a poisoned list could somehow be shoved into the mix and thus propagate out amongst the rest. But, it is quite obvious that more discussions a
Sir Henry says

December 17, 2007 at 3:58 pm

and brainstorming should occur to try and resolve a problem of this sort.

(Yes, a continuance of my last comment since my son felt the need to hit “submit” for me.)
Nobody_Holme says

December 17, 2007 at 6:25 pm

Surely routing all DNS queries through 3 of the DNS servers would be enough… take the majority result, and the likelyhood of getting 2 that have been poisoned is low…
trying to figure out how to immunise my house from this…
Darknet says

December 17, 2007 at 6:44 pm

mumble you are almost there in my books, I just force laptops to use OpenDNS wherever they are…safer for me and less headache :)
Sir Henry says

December 17, 2007 at 7:04 pm

I am going to have to start doing that with my laptops. Thanks for the tip.
cpj says

December 17, 2007 at 9:56 pm

thanks for the OpenDNS tip.. however, i wonder how reliable that service is, too. ahem, someone should poke around and see how hard it is to poison them. you would think a service that prides itself on providing accurate information would be harder to break than, say, more public DNS servers. or perhaps i’m naive.
Sir Henry says

December 18, 2007 at 3:35 am

I have noticed a remarkable speed increase in resolution using OpenDNS. In addition to that, I told my wife about this issue (she is a little bit more than the average Joe in regard to technology so when I say DNS poison, she has a general idea) and her initial response was, “So, how the hell are they going to fix that?”. She wouldn’t even go to PayPal until I changed the DNS servers. I guess that is one way to educate people: scare the hell out of them.
mumble says

December 18, 2007 at 5:25 am

Well… I was researching this, and in the course of looking for viable defenses came up with a few theoretical DNS attacks on unsecured wifi networks. I’m getting a sinking feeling that this is going to be Big Trouble in Little China…. I’m taking a lab day Wednesday to see if I can find some reasonable way to defend against some of this.
mumble says

December 18, 2007 at 6:31 am

Damn. I was right. Everything old is new again….

Wireless LANs are effectively a single broadcast domain. This means that DNS-ID spoofing is back with a new twist — you can be up to a half-mile away and still pull it off. All you need to do is sniff packets and wait for a DNS request to go out. You forge a response with the same ID which points to another machine, and has a very short TTL. The machine loads the page, which drops a payload. The user sees a bad page load + hits reload. Another DNS response goes out, gets the correct info this time, and the page loads correctly. With all the browser vulnerabilities, this is just not funny.
goodpeople says

December 18, 2007 at 10:02 am

Scaring the hell out of people isn’t going to fix this. I’m afraid there is no easy fix for this one.

I think we (as being the industry) need to come up with an alternative to dns. Querying 3 or 4 dns servers and taking the best result seems like a temporary fix. Only a matter of time before enough servers are poinsoned.
Simson says

December 18, 2007 at 11:33 am

There is already an solution:
http://en.wikipedia.org/wiki/DNSSEC
goodpeople says

December 18, 2007 at 12:44 pm

Sorry Simson, but I fear that dnssec isn’t the solution. Not so difficult to implement for small resolvers that handle a few domains, but quite impossible to implement for larger nameservers..

I’m afraid we need something else.
Sir Henry says

December 18, 2007 at 3:23 pm

@goodpeople:

Although I was not implying a fix to the situation, one can agree that awareness, in any form, is one part of the equation. Apart from that, however, I would be most interested to find out your thoughts on a fix as you have most certainly identified those ideas which will not suffice.
Pantagruel says

December 18, 2007 at 9:47 pm

Awareness is the best way to get people into thinking about their protection.
The internet has taken a big flight over the past years, 10 years ago I had 14k4 dial-up which gradually evolved into 56k6, 8 years ago I was switched to ISDN dial-up (64k or 128 k bundled) and 6 years ago I switched to cable and 5 years ago I switched to ADSL. The latter has progressively getting faster for the same amount of money (20Mbit at this moment). This immense gain in bandwith has made the ‘always on’ user a consumer hungry for food to satisfy this bandwith (streaming movies, internet tv, vod,etc) without really thinking about the consequences.
The average user will most likely rely on the DNS his/her ISP provides and not think for a second about alternate DNS (the mentioned OpenDNS is a good thing). Depending on the ISP the DNS setup will be in better or worse shape, but this is a hard thing to judge. I for one can not judge if my ISP has/will have or will likely start having DNS poisoning problems in the future.
Sir Henry says

December 18, 2007 at 9:52 pm

Considering that my ISP is Comcast, I am all too happy to have switched to OpenDNS.
goodpeople says

December 18, 2007 at 10:07 pm

@sir henry,

Please don’t be offended by my comment. If you read some of my earlier comments on this site over the last few weeks, you’ll see that I think educating endusers is one of the, if not THE, most important thing in IT security

We don’t need to argue about that.

And the solution? The more I think of it, the more I reach the conclusion that there is no good answer for this one. No matter what technological tricks man comes up with, there is always someone smarter who comes up with a trick to circumvent it.
goodpeople says

December 18, 2007 at 10:14 pm

@Pantagruel,

to follow up on what you just wrote..

and does it really matter? For downloading music and movies or playing online games this is not really a threat. For online banking and other financial transactions it is, but (at least here in the netherlands) banks and other financial institutions also have other security mechanisms in place.
Sir Henry says

December 18, 2007 at 10:15 pm

@goodpeople:

No offense was taken, although I do appear to have misinterpreted your response. Such is a usual event when commenting in forums and tone cannot be ascertained. Please also do not misinterpret my response as one of terse nature. I find all discussions here as being highly collaborative and wanted to simply get your input on what you felt would be a viable alternative.

As one can see, I have found a community here where my interests align in harmony with those present. I value your input (as well as the other people who comment) and am glad that my tone was called into question.
Pantagruel says

December 19, 2007 at 12:18 am

@Goodpeople

For everyday use it poses no real thread, perhaps some minor problem but beyond the real dangers of DNS poisoning. No one gives anything for poisoned DNS as long as they can download their stuff.

I am familair with the dutch system (Rabobank etc), this two way identify system works quite well. But even you should know that ABN AMRO quite recently released a mailing to their clients warning about websites posing as ABN’s internet banking site. They quite rigorously renewed their website to up the score. If you where to combine a good copy-cat website along with DNS poisoning you might just be able to fool enough average internet consumers into entering their data and allow some one else to do some alternate transactions. This exactly why we are suffering from the clumsy “3x times knocking campaign” (www.3xkloppen.nl) sending some people on a wild goose chase.

Since more average users are using secured internet transactions for either banking or simple online shopping,the possible impact of poisoned DNS is big. Like mentioned before, unless you actually read the SSL certificate (I guess only the really paranoid do that) it will be even hard to detect a fraudulant SSL connection, you have just lost one of three checkpoints according to the campaign. Sadly the SSL connection and certificate are highly regarded upon so I think you actually lose more than just one check, since most people will simply not look beyond a fraude presenting itself through an SSL website.
We aress is we haven’t seen the end of this one.e getting into repetition here, but again, educations is the key.
My guess is we haven;t seen the last of this one.
Simson says

December 19, 2007 at 12:04 pm

@Pantagruel

You will get a SSL-warning-popup-window if you visit a DNS poisioned SSL site, as long as the fake cert is not signed by a authorized company, and its quite difficult to create a valid signed certificate if you dont work at the company being faked.
I only heard of one case where someone managed to create/obtain a valid fake cert.

@goodpeople
I dont think there will be any other solution than DNSSEC, however it will probably take another 3-5 years before “everyone” have installed DNSSEC. http://www.ccnso.icann.org/surveys/dnssec-survey-report-2007.pdf

If there existed another easy solution to this problem, we would already have had it by now.
Nobody_Holme says

December 19, 2007 at 3:37 pm

You could just spoof the real site’s authority…
also, i suggest everyone runs a traceroute on paypal… i dont use it, but i ran one for reference so i could test if my DNS had been caught by this, and somewhere near denver it bounced back on itself before readching paypal itself. slightly worrying that everything in the southern end of the states and all of south america goes through the area where it deviated for me. On the upside, i dont use any version of paypal personally.
Pantagruel says

December 19, 2007 at 4:12 pm

Thanks for the assistance Nobody_Holme (memo to self, get your math fixed ;) ). Indeed spoofing will make the scam complete.

A traceroute is a nice idea, but since the ’round robin’ way to reach the desired host the output will be hard to interpret.
Pedro Pinheiro says

December 19, 2007 at 6:13 pm

As they say in IT security, there’s not such thing as “safe”, things can only be made “safer” :-)

The only way to get better security from man-in-the-middle attacks is to have one time only disposable keys for every transaction, ie, when you order your bank to make a transfer, they’ll ask for key #1385 and they’ll never ask for it again… if the process of generating those keys is really random (and the order by which they are asked also) you’ll have an almost safe system. Assuming that the key-list hasn’t been intercepted, of course. This can also be done by some sort of algorithm, although it’s more expensive and exploitable.
goodpeople says

December 20, 2007 at 2:18 pm

@Pantagruel

I fear with you that we haven’t seen the last of this one. As for the Dutch banking systems, they are regarded as the safest in the world. So Dutch banks are willing to do whatever it takes to stay there.
goodpeople says

December 20, 2007 at 2:25 pm

@Simson,

Considering the fact that it took them .., what was it.. 8 years?, to develop DNSSEC, I think 3-5 is a little optimistic. But let’s hope that this discussion speeds things up a little.

Like I said before, dnssec isn’t so difficult to implement on small resolvers, but alot harder to implement on the larger ones.
eM3rC says

January 6, 2008 at 10:25 pm

The internet is becoming a very insecure and scary place =\
junheax says

March 13, 2008 at 11:17 pm

It’s a shame this discussion ended so suddenly… hopefully this will stir it a bit to see where it stands today…

Yes, this is something that needs a proactive messures. Education is key but so far it has failed (most ISP DNS are vulnerable to poisoning as the run old versions of BIND).

There are interim solutions until the Internet gets upgraded to DNSSEC such as running the lastest BIND version with anti-DNS forgery firewall rules or running OpenDNS that randomizes the ports to add a crypto security layer against forgery attacks.

The problem as i see it is that this vulnerability affects web clients the most but it is only visible and fixable in DNS servers. A possible conflict of interests arises between web clients and ISPs as to the priority of fixing these bugs (especially -as pointed before- considering that the classic ISP client knows so little).

So how to educate ISP clients (most home PC users) and tell them to tell their ISPs to keep their DNS software up to date? The answer to this has business and legal implications.

Not something to take lightly. It would be ideal for anyone involved in computer law to give his or her opinion.

cheers,
Andres
Pantagruel says

March 14, 2008 at 10:08 am

Interresting read on DNS poisoning and BIND9

http://www.securiteam.com/securitynews/5VP0L0UM0A.html

and somewhat dated regarding preventing DNS spoofing

http://www.faqs.org/ftp/internet-drafts/draft-hubert-dns-anti-spoofing-00.txt

@junheax

Basically even BIND9 appears to suffer from this, so the final solution has yet to be found (regarding BIND that is).

You are pointing into the right direction, but it’s little use trying to get internet users more aware of the way internet works. I for one have no need to explain my parent (typical mainstream internet users) the intricate details of package routing,DNS and such.
For them it just has to work, regardless of the mechanism behind it.

I for one think it’s an ISP task to keep their farm up to date and not for their clients to bother them about an out of date BIND version. They provide the gateway to the internet and should do their utmost to prevent this kind of stuff.
On the other side the users should be made aware of the ease with which data can be stolen or harvested from them and not depend blindly on their ISP keeping up the latest in security
Actually the browser provider (MS, Mozilla,Opera,etc) have the unique opportunity to enlighten their users by simply explaining at the first start up the advent of a) an up to date browser and b) secure DNS/etc (and not some dumb-ass dialog about what search engine to use)

# Download from GitHub Releases # https://github.com/n3rada/MSSQLand/releases # For operators compiling from source # Requires Visual Studio with .NET Framework 4.8 SDK git clone https://github.com/n3rada/MSSQLand.git cd MSSQLand # Open MSSQLand.sln in Visual Studio and build for x64 Release

MSSQLand.exe <host> [options] <action> [action-options] # Connection test only (no action executed) MSSQLand.exe localhost -c token # Execute specific action MSSQLand.exe localhost -c token info MSSQLand.exe localhost:1434@db03 -c token info # Linked server chain traversal # Format: server:port/user@database or any combination # Semicolon (;) separates servers, forward slash (/) specifies impersonation MSSQLand.exe localhost -c token -l SQL01;SQL02/admin;SQL03@clients info # Configuration Manager actions (cm- prefix) MSSQLand.exe sccm-db.corp -c token cm-devices MSSQLand.exe sccm-db.corp -c token cm-scripts # CSV output for automation MSSQLand.exe localhost -c token --format csv --silent procedures > procedures.csv

Stolen credentials are now the single most reliable entry point into enterprise networks. Compromised credentials accounted for 22% of all confirmed data breaches in the period covered by Verizon’s extended credential stuffing analysis accompanying the 2025 DBIR, making it the most common initial access vector for the third consecutive year. Credential stuffing, the automated replay of stolen username-password pairs at scale, requires minimal skill, costs almost nothing to run, and succeeds at rates that make it economically rational to run campaigns against thousands of targets simultaneously. Multi-factor authentication (MFA) remains the single most effective control against it, yet deployment gaps persist across sectors that should know better.

The Credential Supply Chain

Credential stuffing depends on a supply chain that runs from infostealer malware through dark web markets to attack tooling. Malware families, including Lumma, RedLine, StealC, and Acreed, scrape browser password vaults, saved cookies, and autofill data from compromised machines. The harvested data is identical to what tools like DumpBrowserSecrets extract during post-exploitation: saved passwords, session cookies, OAuth refresh tokens, and autofill entries pulled directly from Chrome, Edge, Firefox, and every other major browser. Attackers package that raw material into structured files known as combolists, formatted as email: password pairs, cleaned of duplicates, and categorised by service type or geography before selling them on.

Combolists trade freely across dark web forums, Telegram channels, and dedicated cracking communities. The initial access broker ecosystem documented throughout 2025 has normalised validated credentials as a commodity. Fresh lists built from recent infostealer logs command significantly higher prices than aged database dumps because they have higher validity rates. The Verizon analysis found that only 49% of a user’s passwords across different services are distinct. That figure is what makes credential stuffing economically viable: breach one service, and there is roughly a 50% chance the same password works elsewhere. Across millions of accounts, that probability becomes near-certainty.

The tooling that drives attacks is openly available. OpenBullet and its successor, SilverBullet, are credential-stuffing frameworks originally released as penetration testing utilities, now standard tools in account-takeover (ATO) operations. They automate the full attack loop: loading combolists, rotating through residential proxies to dodge rate limiting and IP blocks, sending login requests that mimic legitimate browser behaviour, and logging successful hits. Attackers also buy and sell custom configuration files, known as configs, that define the authentication flow for specific target services. Unofficial marketplaces offer configs for specific banking portals, SaaS platforms, and enterprise single sign-on (SSO) providers alongside combolists and proxy subscriptions.

Three Case Studies from 2025

In late March 2025, coordinated credential stuffing attacks hit five major Australian superannuation funds simultaneously: AustralianSuper, Rest Super, Hostplus, Australian Retirement Trust, and Insignia Financial. As BleepingComputer reported on the coordinated attacks, attackers compromised over 20,000 accounts across the five funds, with four AustralianSuper members losing a combined AUD 500,000. The attackers used combolists from prior unrelated breaches. AustralianSuper offered MFA but did not enforce it at login, a gap that regulators identified as the primary enabling factor. Retirement funds make attractive targets because account balances are high, withdrawals are slow to reverse, and many members check their accounts infrequently.

In April 2025, VF Corporation notified customers of a credential-stuffing attack against the North Face online store. BleepingComputer’s coverage of the April incident confirmed that attackers used credentials from earlier unrelated breaches to access accounts and exfiltrate names, email addresses, shipping addresses, phone numbers, purchase history, and dates of birth. Payment card data was not exposed, as a third-party provider handles payment processing. The April attack followed a March incident that exposed 15,700 accounts across The North Face and Timberland. It was the fourth credential stuffing incident against VF Corporation brands since 2020. The pattern reflects a structural problem: tens of millions of customer accounts, high password reuse rates, and authentication systems not designed to detect low-and-slow validation campaigns.

The Change Healthcare breach in February 2024 remains the most consequential recent example of credential-based initial access. The ALPHV/BlackCat ransomware group entered UnitedHealth’s Change Healthcare subsidiary through compromised Citrix credentials on a remote-access portal without MFA, as confirmed in Congressional testimony from UnitedHealth’s CEO. The attackers moved laterally through the billing network and deployed ransomware that shut down payment processing for healthcare providers across the United States for weeks. The incident produced a $22 million ransom payment and an estimated $872 million in reported disruption costs in the first quarter alone. One set of valid credentials on one unprotected endpoint caused one of the largest healthcare-sector disruptions in US history.

Detection and Evasion Techniques

Modern credential stuffing campaigns specifically target the detection mechanisms most organisations have deployed. Attackers bypass velocity-based controls that flag high volumes of failed login attempts from a single IP by rotating through residential proxies. They distribute attempts across thousands of IP addresses so each one generates only a handful of requests, staying below alert thresholds. Third-party CAPTCHA-solving services handle challenge pages, some of which are automated via machine learning and others through human labour farms. Tools that emulate legitimate browser environments, including correct JavaScript execution, realistic mouse movement patterns, and authentic request timing, defeat browser fingerprinting.

The MITRE ATT&CK framework categorises credential stuffing under T1110.004 (Brute Force: Credential Stuffing). Defenders should monitor for several specific signals: unusual geographic distributions of authentication requests, spikes in failed logins spread across a wide IP range rather than concentrated at a single source, and successful logins from IP addresses tied to residential proxy services. Account logins from devices or browsers with no prior history on the account also warrant investigation. The Verizon analysis found that credential stuffing accounted for a median of 19% of all authentication attempts across SSO providers, meaning roughly one in five login attempts was not legitimate.

One underappreciated detection gap is the window between credential exposure and organisational awareness. Dark web monitoring tools available to enterprise teams in 2025 make it operationally achievable to track stealer log markets and paste sites for corporate email domains. Many organisations still treat that monitoring as optional rather than a core detection layer. Credentials circulate in combolists for months before the affected organisation becomes aware, and attackers exploit that window systematically.

Regulatory Response

The 23andMe case produced the most visible regulatory outcome tied directly to credential stuffing. A 2023 attack using combolists accessed approximately 6.9 million customer records. The UK Information Commissioner’s Office fined the company £2.31 million for failing to implement adequate security, specifically the absence of mandatory MFA for accounts holding sensitive genetic data. In March 2025, as Wired reported in its coverage of the 23andMe bankruptcy, the company filed for Chapter 11, with the credential stuffing incident and its downstream legal consequences cited as contributing factors. Regulators in the UK and EU now reference the case as evidence that weak authentication controls constitute a material governance failure, not a technical oversight.

CISA’s 2024 guidance on phishing-resistant MFA explicitly identifies credential stuffing as a primary threat driver. It recommends hardware security keys and passkeys using the WebAuthn standard as the only controls that fully eliminate the credential reuse vector. SMS one-time passwords and Time-based One-Time Password (TOTP) codes provide partial protection but remain vulnerable to adversary-in-the-middle (AiTM) interception, a technique increasingly applied against accounts whose value justifies the extra effort.

CISO Playbook

Phishing-resistant MFA enforced across all externally facing authentication endpoints, including VPN portals, SSO providers, and remote desktop services, eliminates the primary path for exploitation. Password screening against known-breach corpora at login and account creation, using services such as the Have I Been Pwned API, removes credentials already circulating in combolists before attackers can validate them. Rate limiting and progressive account lockout on all authentication endpoints, including API login flows that teams frequently overlook, cuts the volume of attempts that reach the validation stage.

Bot detection that analyses behavioural signals, including request timing, device fingerprint consistency, and session cookie behaviour, provides a second line of defence against campaigns that have already bypassed IP-based controls. For organisations on legacy identity infrastructure, a full platform replacement is not the immediate priority. Enforcing MFA on the externally facing authentication layer, regardless of what sits behind it, addresses the highest-risk exposure first. The Change Healthcare incident is the clearest available proof of what one unprotected endpoint costs at scale.

There is no technical solution that eliminates credential stuffing entirely. Password reuse persists, infostealers continue operating at scale, and combolists will keep growing. The practical objective for defenders is to raise the cost of a successful attack on their specific environment above what attackers can profitably tolerate, and to detect the attempts that do succeed before they compound into something worse. Given that 22% of breaches in 2025 started with a valid credential, organisations that treat authentication hygiene as routine maintenance rather than a strategic priority are already in the breach statistics.

Frequently Asked Questions

What is credential stuffing, and how does it differ from brute force?

Credential stuffing uses real username-password pairs stolen from previous breaches and automatically replays them against other services. Brute force generates password guesses from scratch. Stuffing is faster, quieter, and far more effective because it exploits password reuse rather than attempting to crack unknown passwords. A combolist of 10 million verified credentials will outperform any brute-force dictionary attack against the same target.

What is a combolist, and where do attackers get them?

A combolist is a structured file of email-and-password pairs compiled from data breaches, infostealer malware logs, and dark web markets. Attackers source them from initial access broker forums, Telegram channels, and dedicated credential marketplaces. Fresh lists derived from recent infostealer campaigns are the most valuable because their owners have not yet rotated the credentials.

How do attackers bypass rate limiting and CAPTCHA during credential stuffing?

Attackers use residential proxy networks to distribute login attempts across thousands of IP addresses, keeping per-IP request volumes below detection thresholds. CAPTCHA challenges are handled by third-party solving services, either via automated machine-learning methods or by human labour farms. Tools such as OpenBullet and SilverBullet emulate realistic browser behaviour, including JavaScript execution and mouse-movement patterns, to evade browser fingerprinting controls.

Does multi-factor authentication stop credential stuffing?

Phishing-resistant MFA using hardware security keys or passkeys under the WebAuthn standard fully eliminates the credential reuse vector. SMS one-time passwords and TOTP codes reduce exposure but remain vulnerable to adversary-in-the-middle interception. The Change Healthcare breach, which resulted in $872 million in disruption costs, occurred on a Citrix portal with no MFA. Enforcing MFA on every externally facing authentication endpoint is the single highest-impact control available.

What are the most common targets for credential stuffing attacks?

Enterprise SSO portals, VPN gateways, e-commerce account login pages, financial services platforms, and healthcare provider systems are the most frequently targeted. Retirement and superannuation funds have emerged as high-value targets in 2025 because account balances are large, members check accounts infrequently, and MFA enforcement has historically been optional rather than mandatory.

How can organisations detect credential stuffing attacks in progress?

Key signals include spikes in authentication requests distributed across a wide IP range rather than concentrated at a single source, successful logins from residential proxy IP addresses, account access from devices or browsers with no prior history, and unusual geographic distributions in login activity. Continuous monitoring of dark web stealer log markets for corporate email domains provides early warning before credentials are actively exploited. The Verizon 2025 DBIR found that credential stuffing accounts for a median of 19% of all SSO authentication attempts, so baseline volume analysis is also a viable detection layer.

This article covers techniques used by both attackers and defenders for educational and research purposes. The tools and marketplaces described are documented by security researchers and law enforcement agencies.

Usage: DumpBrowserSecrets.exe [options] Options: /b:<browser> Target Browser: chrome, edge, brave, opera, operagx, vivaldi, firefox, all (default: system default browser) /o <file> Output JSON File (default: <browser>Data.json) /all Export All Entries (default: max 16 per category) /? Show This Help Message Examples: DumpBrowserSecrets.exe Extract 16 Entries From The Default Browser DumpBrowserSecrets.exe /b:chrome Extract 16 Entries From Chrome DumpBrowserSecrets.exe /b:firefox /all Export All Entries From Firefox DumpBrowserSecrets.exe /b:brave /o Output.json Extract 16 Entries From Brave To Output.json DumpBrowserSecrets.exe /b:all /all Extract All From All Installed Browsers

name: Heisenberg Health Check on: pull_request: paths: - "**/poetry.lock" - "**/uv.lock" - "**/package-lock.json" - "**/yarn.lock" - "**/requirements.txt" - "**/go.mod" permissions: contents: read pull-requests: write issues: write jobs: deps-health: runs-on: ubuntu-latest steps: - uses: actions/checkout@v4 - name: Detect changed manifest id: detect run: | git fetch origin ${{ github.base_ref }} --depth=1 LOCK_PATH=$(git diff --name-only origin/${{ github.base_ref }} | \ grep -E 'poetry.lock$|uv.lock$|package-lock.json$|yarn.lock$|requirements.txt$|go.mod$' | head -n1 || true) echo "lock_path=$LOCK_PATH" >> $GITHUB_OUTPUT - name: Heisenberg Dependency Health Check uses: AppOmni-Labs/heisenberg-ssc-gha@v1 with: package_file: ${{ steps.detect.outputs.lock_path }}

DNS Poisoning Getting Serious – Phishing from Open Recursive DNS Servers

Related Posts:

Most Viewed Posts

Search

Recent Posts

Related Posts:

Reader Interactions

Comments

Footer

Most Viewed Posts

Search

Recent Posts

Tags