Credential stuffing attacks are becoming increasingly pervasive across multiple industries, especially media, according to Patrick Sullivan, Akamai director of security technology and strategy.
“Unlike many other attacks that we focus on in information security,” credential abuse attacks “can be successful even if the website runs perfect code with zero defects or vulnerabilities,” he said May 30 during a webinar called “Credential Stuffing: Attacks and Economies.”
“These attacks are fueled by poor password hygiene of the users of an application or site,” he told listeners, noting that what typically happens is “adversaries basically comb through the list of stolen credentials from breaches” of Web sites. After all, “there seems to be a never-ending flow of these breaches,” he noted, pointing out that passwords have often been “stored with weak protections or no protections at all.”
And “that forms the fuel for adversaries to pretty simply just deploy massive-scale bots that go around attempting to see if these large databases of credentials can be reused from site A to site B to site C to successfully guess valid credentials from the site,” he explained. That’s the “credential stuffing phase of that attack, and then there’s a monetization phase that follows,” which varies based on the type of industry the target of an attack is in, he said.
During 2018, Akamai saw about 30 billion credential stuffing attacks occur across all industries, he told listeners, adding this is a trend that’s been growing year-over-year for at least seven years. But, “every year, the complexity and volume seems to pick up,” he said, adding: “We haven’t seen much of a slowdown over that time.”
Media companies are among the most common victims of these attacks, he noted. One reason for the popularity of media companies may be that it’s “less expensive” for attackers to target them than other types of organizations, such as those within the financial services sector, for example, he said, pointing to the fact that most banks today “have some anti-automation protection against account takeover, so it’s becoming more expensive for an attacker to target that industry” than media. At the same time, a lot of money can be made from selling subscriber details from streaming services such as Netflix, he noted.
The source of the data used by Akamai during the webinar was its Intelligent Platform, which “has a unique vantage point on the Internet of sitting in front of login for the majority of the top media sites,” as well as sites of companies in other industries, so it can see these attacks “as they unfold,” he said. And Akamai has “a variety of detection mechanisms to figure out if the other end of that connection that we see visiting a Web site and a login in particular is driven by a human being or whether it’s being driven by a bit of automation,” he said.
The webinar followed Akamai’s release of the report “Internet-Security: Credential Stuffing: Attacks and Economies” at the NAB Show in April. The report detailed wide-ranging credential abuses against online video and music streaming services, with stolen credentials, stuffing attacks, and more resulting from data breaches.
A central finding in the report was that three of the largest credential stuffing attacks vs. streaming services in 2018 (ranging in size from 133 million to 200 million attempts) took place shortly after reported data breaches, an indication that hackers were testing stolen credentials before selling them.