Credential stuffing, a technique used by cyber criminals to perform millions of malicious login attempts on websites using stolen login credentials, is now among the most popular hacking tools in the hands of criminals, a new report has revealed.
A couple of months ago, security firm Shape Security revealed in its 2018 Credential Spill Report that credential stuffing attacks accounted for more than half of all login attempts on websites of online retailers, airline companies, banks, hotels and other firms.
Sector-wise, credential stuffing attacks accounted for 91 percent of all login attempts on online retailers' websites, 60 percent of all login attempts on airline companies' websites, 58 percent of attempts on banking sites, and 44 percent of login attempts on websites owned by hotels this year.
Noting that around 3% of such attacks succeeded, Shape Security revealed that e-commerce retailers lose an average of $6 billion a year, banks lose $1.7 billion a year, and hotel and airline companies lose $700 million every year to credential stuffing attacks.
Over 8.3 billion malicious login attempts between May and June
The new 2018 State of the Internet / Security Credential Stuffing Attacks report released by Akamai has backed up the alarming figures released by Shape Security on the scale of credential stuffing attacks.
After analysing malicious login attempts between May and June this year, Akamai noted that the number of credential stuffing attacks across the world grew from 3.2 billion malicious logins per month between January and April to over 8.3 billion malicious login attempts between May and June, signifying a growth of 30 percent per month.
"Our research shows that the people carrying out credential stuffing attacks are continuously evolving their arsenal. They vary their methodologies, from noisier, volume-based attacks, through stealth-like ‘low and slow’-style attacks,” said Martin McKeay, Senior Security Advocate at Akamai.
"It’s especially alarming when we see multiple attacks simultaneously affecting a single target. Without specific expertise and tools needed to defend against these blended, multi-headed campaigns, organizations can easily miss some of the most dangerous credential attacks," he added.
The rise in the number of credential stuffing attacks is fueled by the availability of millions of login credentials of users on hacker forums and on the Dark Web. Many organisations that store and process personal data of thousands to millions of people have suffered massive breaches over the years, thereby giving hackers access to enough information necessary to launch millions of credential stuffing attacks every month.
Credential stuffing attacks also succeed because many people use the same login credentials for different accounts with different online retailers, banks, hotels, and airline companies. So if a user's login credentials for a particular website is breached, the same credentials can be used by criminals to hack into his other accounts as well.
Credential stuffing software affordable and accesible
According to Ryan Wilk, vice president at NuData Security, another reason behind the rise in the frequency of credential stuffing attacks is that the software for credential stuffing is now very affordable and is accessible for almost anyone.
"Having customers change their passwords is a temporary fix, a band-aid that doesn’t get to the root of the problem. One effective way to stop this type of attack is to implement security solutions that detect this sophisticated automated activity at login and other placements.
"By using technologies that include behavioural biometrics, automated activity is flagged at login before it can even test any credentials in the company's environment. At the same time, companies should stay alert for any leaked credentials of their employees or customers along with mentions of the company and brand names across cracking forums to stay on top of this trend," he said.