63 billion credential stuffing attacks hit retail, hospitality, travel industries

Akamai published a report detailing criminal activity targeting the retail, travel, and hospitality industries with attacks of all types and sizes between July 2018 and June 2020. The report also includes numerous examples of criminal ads from the darknet illustrating how they cash in on the results from successful attacks and the corresponding data theft.

attacks industries

“Criminals are not picky — anything that can be accessed can be used in some way,” said Steve Ragan, Akamai security researcher and author of the State of the Internet / Security report.

“This is why credential stuffing has become so popular over the past few years. These days, retail and loyalty profiles contain a smorgasbord of personal information, and in some cases financial information too. All of this data can be collected, sold, and traded or even compiled for extensive profiles that can later be used for crimes such as identity theft.”

Recirculating old credential lists to identify new vulnerable accounts

During the COVID-19 pandemic-related lockdowns in Q1 2020, criminals took advantage of the worldwide situation and circulated password combination lists, targeting each of the commerce industries featured in the report.

It was during this time that criminals started recirculating old credential lists in an effort to identify new vulnerable accounts, leading to a significant uptick in criminal inventory and sales related to loyalty programs.

Between July 2018 and June 2020, more than 100 billion credential stuffing attacks ere observed in total. In the commerce category – comprising the retail, travel, and hospitality industries – there were 63,828,642,449 recorded. More than 90% of the attacks in the commerce category targeted the retail industry.

Credential stuffing isn’t the only way that criminals target the retail, travel, and hospitality industries. They target organizations in these industries at the source using SQL Injection (SQLi) and Local File Inclusion (LFI) attacks.

Between July 2018 and June 2020, 4,375,711,860 web attacks against retail, travel, and hospitality were observed, accounting for 41% of the overall attack volume across all industries. Within this data set, 83% of those web attacks targeted the retail sector alone.

SQLi attacks are an evident favorite among criminals, accounting for just under 79% of the total web application attacks against retail, travel, and hospitality.

attacks industries

The holiday shopping season altered by the pandemic

As the global economy prepares for a holiday shopping season, it does so in an environment that has changed radically due to the pandemic. Consumers will not be standing outside of brick and mortar stores waiting for the latest deals in the same way they have in the past. They’re going to log-in, collect their reward points, and maybe use loyalty programs to gain some discounts or other perks just for being a member.

Considering everything that goes into a successful loyalty program, and the information people need to provide in order to take part, the criminals have everything they need to get started in a number of crime-related ventures, from account takeovers, to straight-up identity theft. So, while an individual’s loyalty to a merchant, airline, or hotel chain might not literally be for sale, there’s a good chance the account associated with such programs might be.

“All businesses need to adapt to external events, whether it’s a pandemic, a competitor, or an active and intelligent attacker,” Ragan concluded.

“Some of the top loyalty programs targeted require nothing more than a mobile number and a numeric password, while others rely on easily obtained information as a means of authentication. There is an urgent need for better identity controls and countermeasures to prevent attacks against APIs and server resources.”

High volumes of attacks keep targeting video game companies and players

High volumes of attacks were used to target video game companies and players between 2018 and 2020, an Akamai report reveals.

attacks game

It also notes an uptick in attack traffic that correlates with COVID-19-related lockdowns. In addition, the report examines motivations driving the attacks and steps gamers can take to help protect their personal information, accounts, and in-game assets.

“The fine line between virtual fighting and real world attacks is gone,” said Steve Ragan, Akamai security researcher.

“Criminals are launching relentless waves of attacks against games and players alike in order to compromise accounts, steal and profit from personal information and in-game assets, and gain competitive advantages.

“It’s vital that gamers, game publishers, and game services work in concert to combat these malicious activities through a combination of technology, vigilance, and good security hygiene.”

Game players subjected to a steady barrage of criminal activity

The report stresses that game players themselves are subjected to a steady barrage of criminal activity, largely through credential stuffing and phishing attacks. Mre than 100 billion credential stuffing attacks were observed from July 2018 to June 2020. Nearly 10 billion of those attacks targeted the gaming sector.

To execute this type of attack, criminals attempt to access games and gaming services using lists of username and password combinations that are typically available for purchase via nefarious websites and services. Each successful login indicates a gamer’s account has been compromised.

Phishing is the other primary form of attack used against gamers. In this method, bad actors create legitimate-looking websites related to a game or gaming platform with the goal of tricking players into revealing their login credentials.

Types of attacks

There were also 10.6 billion web application attacks across its customers between July 2018 and June 2020, more than 152 million of which were directed toward the gaming industry. The significant majority were SQLi attacks intended to exploit user login credentials, personal data and other information stored in the targeted server’s database.

Local File Inclusion (LFI) was the other notable attack vector, which can expose player and game details that can ultimately be used for exploiting or cheating. Criminals often target mobile and web-based games with SQLi and LFI attacks due to the access to usernames, passwords and account information that comes with successful exploits.

Between July 2019 and June 2020, more than 3,000 of the 5,600 unique DDoS attacks were aimed at the gaming industry, making it by far the most-targeted sector.

Recalling the Mirai botnet, which was originally created by college students to disable Minecraft servers, and later used to launch some of the largest-ever DDoS attacks, the report notes that the gaming-related DDoS attacks spiked during holiday periods, as well as typical school vacation seasons. This serves as a likely indicator that the responsible parties were home from school.

While video games served as a major outlet for entertainment and social interaction during the COVID-19-driven lockdowns earlier in the year, criminals also took advantage of the pandemic.

Gamers are not concerned

A notable spike in credential stuffing activity occurred as isolation protocols were instituted around the world. Much of the traffic was the result of criminals testing credentials from old data breaches in attempts to compromise new accounts created using existing username and password combinations.

Though many gamers have been hacked, far fewer appear to be concerned. In an upcoming survey of gamer attitudes toward security conducted by Akamai and DreamHack, 55 percent of the respondents who identify as “frequent players” admitted to having had an account compromised at some point; of those, only 20 percent expressed being “worried” or “very worried” about it.

The report posits that even though avid gamers might not recognize the value in the data associated with their accounts, criminals most certainly do.

The survey also found that gamers consider security to be a team effort, with 54 percent of the respondents who acknowledged being hacked in the past feeling it is a responsibility that should be shared between the gamer and game developer/company.

How can gamers protect themselves?

The report outlines steps that gamers can take to protect themselves and their accounts such as using password managers and two-factor authentication along with unique, complicated passwords. It also points to resource pages that most game companies publish where gamers can opt in to additional security capabilities.

“Gaming has always brought communities together, so all of us at DreamHack want to ensure our valued communities of fans and players are protected from cyber attacks of this nature,” said Tomas Lykedal, CSO, DreamHack.

“These findings are important so everyone involved can also help ensure that, together, we are doing all we can to protect privacy and personal information when engaging on these world stages and global platforms.”

The fact remains: Gamers are highly targeted because they have several qualities that criminals look for. They’re engaged and active in social communities. For the most part, they have disposable income, and they tend to spend it on their gaming accounts and gaming experiences. When these factors are combined, criminals see the gaming industry as a target-rich environment.

20% of credential stuffing attacks target media companies

The media industry suffered 17 billion credential stuffing attacks between January 2018 and December 2019, according to a report from Akamai.

credential stuffing media

The apparent fourfold increase in attacks is partly attributable to the enhanced visibility into the threat landscape

The report found that 20% of the 88 billion total credential stuffing attacks observed during the reporting period targeted media companies.

Media companies present an attractive target

Media companies present an attractive target for criminals according to the report, which reveals a 63% year-over-year increase in attacks against the video media sector.

The report also shows 630% and 208% year-over-year increases in attacks against broadcast TV and video sites, respectively. At the same time, attacks targeting video services are up 98%, while those against video platforms dropped by 5%.

The marked uptick in attacks aimed at broadcast TV and video sites appear to coincide with an explosion of on-demand media content in 2019. In addition, two major video services launched last year with heavy support from consumer promotions. These types of sites and services are well aligned to the observed goals of the criminals who target them.

Much of the value in media industry accounts lies in the potential access to both compromised assets, like premium content, along with personal data according to Steve Ragan, author of the report.

“We’ve observed a trend in which criminals are combining credentials from a media account with access to stolen rewards points from local restaurants and marketing the nefarious offering as ‘date night’ packages. Once the criminals get a hold of the geographic location information in the compromised accounts, they can match them up to be sold as dinner and a movie,” Ragan explained in the report.

Attacks targeting published content

Video sites are not the sole focus of credential stuffing attacks within the media industry, however. The report notes a 7,000% increase in attacks targeting published content.

Newspapers, books and magazines sit squarely within the sights of cybercriminals, indicating that media of all types appear to be fair game when it comes to these types of attacks.

The United States was by far the top source of credential stuffing attacks against media companies with 1.1 billion in 2019, an increase of 162% over 2018. France and Russia were a distant second and third with 3.9 million and 2.4 million attacks, respectively.

India, was the most targeted country in 2019, enduring with 2.4 billion credential stuffing attacks. It was followed by the United States at 1.4 billion and the United Kingdom at 124 million.

“As long as we have usernames and passwords, we’re going to have criminals trying to compromise them and exploit valuable information,” Ragan explained.

Password sharing and recycling are easily the two largest contributing factors in credential stuffing attacks. While educating consumers on good credential hygiene is critical to combating these attacks, it’s up to businesses to deploy stronger authentication methods and identify the right mix of technology, policies and expertise that can help protect customers without adversely impacting the user experience.”

OPIS

Some of the shuffling of top target areas in Q1 2020 correlate with effects of the pandemic lockdowns in various parts of the world

Spike in malicious login attempts against European broadcasters

There was a large spike in malicious login attempts against European video service providers and broadcasters during the first quarter of 2020. One attack in late March, after many isolation protocols had been instituted, directed nearly 350,000,000 attempts against a single service provider over a 24-hour period.

Separately, one broadcaster well known across the region, was hit with a barrage of attacks over the course of the quarter with peaks that ranged in the billions.

Another noteworthy trend during the first quarter was the number of criminals sharing free access to newspaper accounts. Often offered as self-promotional vehicles, credential stuffing campaigns must still be initiated in order to steal the working username and password combinations that are given away.

Researchers also observed a decline in the cost of stolen account credentials over the course of the quarter, which traded for approximately $1 to $5 at the start and $10 to $45 for package offers of multiple services. Those prices fell as new accounts and lists of recycled credentials populated the market.

Akamai launches a new in-browser threat detection solution that uncovers compromised scripts

Akamai, the intelligent edge platform for securing and delivering digital experiences, announced the launch of Page Integrity Manager, an in-browser threat detection solution designed to uncover compromised scripts that could be used to steal user data or impact the user experience.

Initially popularized by Magecart groups, and now being leveraged by other threat actors, the attack vector of malicious web page scripts is growing and has become a frequent source of data breaches.

A typical website relies on dozens of third-party sources — many that result in scripts executing in user browsers. Third-party scripts are essential for the dynamic user experience expected in modern websites, inclusive of sensitive information pages used for payments, account management, and personal information forms.

However, security teams have little visibility into or control over these third-party supplied and maintained scripts.

Akamai designed Page Integrity Manager to protect websites from JavaScript threats, such as web skimming, form-jacking, and Magecart attacks, by identifying vulnerable resources, detecting suspicious behavior, and blocking malicious activity.

By detecting suspicious script activity in real-time, Page Integrity Manager offers a more effective way to defeat well-hidden supply chain attacks such as Magecart when they happen.

“Web skimming attacks steadily remain at a high-volume across a variety of industries, especially retail, media, and hospitality,” said Akamai Security Researcher Steve Ragan.

“Over a recent seven day period, we analyzed nearly five billion javascript executions, across 110 million page views and saw about a thousand vulnerabilities, any one of which could result in stolen sensitive user data.”

The FBI recently reported that web skimming has been on its radar for nearly seven years, but the crime is growing because cybercriminals are sharing the malware online and becoming more sophisticated.

“By its nature, web page scripts are very dynamic. Third-party scripts are especially opaque, creating a new attack vector that is challenging to defend against,” said Raja Patel, Vice President of Products, Web Security at Akamai.

“Page Integrity Manager gives our customers the visibility they need to manage the risk from scripts, including first-, third-, nth-party scripts, with actionable intel needed to make business decisions unique to your organization.”

Crafty Web Skimming Domain Spoofs “https”

Earlier today, KrebsOnSecurity alerted the 10th largest food distributor in the United States that one of its Web sites had been hacked and retrofitted with code that steals credit card and login data. While such Web site card skimming attacks are not new, this intrusion leveraged a sneaky new domain that hides quite easily in a hacked site’s source code: “http[.]ps” (the actual malicious domain does not include the brackets, which are there to keep readers from being able to click on it).

This crafty domain was hidden inside the checkout and login pages for grandwesternsteaks.com, a meat delivery service owned by Cheney Bros. Inc., a major food distributor based in Florida. Here’s what a portion of the login page looked like until earlier today when you right-clicked on the page and selected  “view-source”:

The malicious domain added to the HTML code for grandwesternsteaks.com (highlighted in orange) fetched a script that intercepted data entered by customers, including credit card details and logins. The code has since been removed from the site.

Viewing the HTML source for the malicious link highlighted in the screenshot above reveals the obfuscated card-skimming code, a snippet of which is pictured below:

The obfuscated card skimming code is full of references to “ants” and “cockroaches,” which is enough to give any site owner the heebie-jeebies.

A simple search on the malicious domain “http[.]ps” at HTML search service publicwww.com shows this code is present on nearly a dozen other sites, including a music instrument retailer, an herbal pharmacy shop in Europe, and a business in Spain that sells programmable logic controllers — expensive computers and circuit boards designed to control large industrial operations.

The http[.]ps domain is hosted in Russia, and sits on a server with one other malicious domain — autocapital[.]pw. According a Mar. 3 Twitter post by security researcher and blogger Denis Sinegubko, the autocapital domain acts as a collector of data hoovered up by the http[.]ps skimming script.

Jerome Segura over at Malwarebytes recently wrote about a similar attack in which the intruders used http[.]ps to spoof the location of a script that helps improve page load times for sites that rely on Web infrastructure firm Cloudflare.

“There is a subtle difference in the URI path loading both scripts,” Segura wrote. “The malicious one uses a clever way to turn the domain name http.ps (note the dot ‘.’ , extra ‘p’ and double slash ‘//’) into something that looks like ‘https://’. The threat actors are taking advantage of the fact that since Google Chrome version 76, the “https” scheme (and special-case subdomain “www”) is no longer shown to users.”

Segura says there are two ways e-commerce sites are being compromised here:

  • Skimming code that is injected into a self hosted JavaScript library (the jQuery library seems to be the most targeted)
  • A script that references an external JavaScript, hosted on a malicious site (in this case, http[.]ps)

Malwarebytes assesses that the tricks this domain uses to obfuscate the malicious code are tied to various site-hacking malware campaigns dating back to 2016. By the way, an installation of Malwarebytes on a test machine used for this investigation blocked the http[.]ps script from loading on each of the compromised sites I found.

Finally, the “.ps” bit of the malicious skimming domain refers to the country code top-level-domain (ccTLD) for the State of Palestine. The domain was registered on Feb. 7.

If you run an e-commerce Web site, it would be a great idea to read up on leveraging Content Security Policy (CSP) response headers and Subresource Integrity security features offered by modern Web browsers. These offer mitigation options to prevent your site from being used in these card skimming attacks. Ryan Barnett at Akamai penned a comprehensive blog post on these approaches not long ago that is well worth reading [full disclosure: Akamai is an advertiser on this site].

I’ve been playing recently with privacy.com, which among other things offers a free service that allows users to generate a unique, one-time credit card number for each online transaction (privacy.com makes money from the interchange fees paid by merchants). The beauty of this approach is if your credit card details do get swiped by one of these site skimmers, you won’t have to change your credit card information at dozens of other sites and services you frequent.

Most credential abuse attacks against the financial sector targeted APIs

From May 2019 and continuing on until the end of the year, there was a dramatic shift by criminals who started targeting APIs, in an effort to bypass security controls. According to data from Akamai, up to 75% of all credential abuse attacks against the financial services industry targeted APIs directly.

credential abuse attacks

According to the report’s findings, from December 2017 through November 2019, 85,422,079,109 credential abuse attacks were observed. Nearly 20 percent, or 16,557,875,875, were against hostnames that were clearly identified as API endpoints. Of these, 473,518,955 attacked organizations in the financial services industry.

A mix of API targeting, and other methodologies

But not all attacks were exclusively API focused. On August 7, 2019, the single largest credential stuffing attack against a financial services firm was recorded, consisting of 55,141,782 malicious login attempts.

This attack was a mix of API targeting, and other methodologies. On August 25, in a separate incident, the criminals targeted APIs directly, in a run that consisted of more than 19 million credential abuse attacks.

“Criminals are getting more creative and hyper-focused on how they go about obtaining access to the things they need to conduct their crimes,” said Steve Ragan, Akamai security researcher and principal author of the State of the Internet / Security report.

“Criminals targeting the financial services industry pay close attention to the defenses used by these organizations, and adjust their attack patterns accordingly.”

Criminals exposing data through different methods

Indicative of this fluid attack dynamic, the report shows that criminals continue to seek to expose data through a number of methods, in order to gain a stronger foothold on the server and ultimately achieve success in their attempts.

SQL Injection (SQLi) accounted for more than 72% of all attacks when looking at all verticals during the 24-month period observed by the report. That rate is halved to 36% when looking at financial services attacks alone. The top attack type against the financial services sector was Local File Inclusion (LFI), with 47% of observed traffic.

LFI attacks exploit various scripts running on servers, and as a consequence, these types of attacks can be used to force sensitive information disclosure. LFI attacks can also be leveraged for client-side command execution (such as a vulnerable JavaScript file), which could lead to Cross-Site Scripting (XSS) and DoS attacks.

XSS was the third-most common type of attack against financial services, with a recorded 50.7 million attacks, or 7.7% of the observed attack traffic.

Criminals still leveraging DDoS attacks

The report also shows that criminals continue to leverage DDoS attacks as a core component of their attack arsenal, particularly as it relates to targeting financial services organizations.

Observations from November 2017 until October 2019, show the financial services industry ranking third in attack volume, with gaming and high tech being the most common targets. However, more than forty percent of the unique DDoS targets were in the financial services industry, which makes this sector the top target when considering unique victims.

Security teams need to constantly consider policies, procedures, workflows, and business needs – all while fighting off attackers that are often well organized and well-funded,” Ragan concluded. “Our data shows that financial services organizations are constantly improving by adopting fluid security postures, forcing criminals to change their tactics.”