Retailers have become the top target for credential stuffing attacks

Bots are being used to complete rapid-fire fraudulent purchases with very little effort from the hackers behind them.
Written by Charlie Osborne, Contributing Writer

Retailers are now the favorite target of cybercriminals looking to cash in through easy, automated credential stuffing attacks.

Point-of-sale (PoS) malware has been -- and still is -- a common way to infiltrate retail systems and steal valuable credit card data. However, given the explosion in leaked data and bulk card number sets now available for next to nothing in the web's underbelly, this has given rise to a new technique to steal hard-won cash from shoppers without the need to infect physical equipment.

According to Akamai's 2019 State of the Internet report, released on Wednesday, the retail sector was the top target for credential stuffing techniques in the second half of 2018.

Credential stuffing attacks are automated and make use of lists of stolen data -- such as financial or online service credentials -- to send barrages of user authentication requests without the need for human interaction.

Given the huge stolen data sets now available -- such as the dump of 87GB of data containing 22 million unique passwords which was recently discovered online -- cybercriminals are now taking advantage of these caches with the help of what is known as "All-in-One" (AIO) bots.

Akamai says that AIO bots, which are capable of deploying multi-functional tools including credential stuffers, have found particular value to criminals when it comes to product purchases.

An emerging trend is the use of these bots to perform credential stuffing attacks, successfully compromise online retail accounts, make purchases, and then allow operators to resell these fraudulently-purchased items for a profit.

According to the report, AIO bots are capable of targeting up to 120 retailers at once.

TechRepublic: Best practices for handling gaps in cloud security

Over a period of eight months in 2018, Akamai detected 27,985,920,324 credential abuse attempts, with the majority of attacks stemming from the United States, followed by Russia, Canada, Brazil, and India. On average, this equates to 115 million user account compromise attempts every day.

In total, 10 billion of these attempts were focused on retail targets, spurred on by the general pattern that individuals often reuse their account credentials across different online services.

See also: PayPal, Square vulnerabilities impact mobile point-of-sale machines

"The techniques change, but the motivation remains the same: greed," said Martin McKeay, Senior Security Advocate at Akamai. "Retailers remain on the front lines because stolen merchandise sells quickly and at a premium. And for that reason, the data shows which merchandise is of the highest value: Apparel sites are targeted the most."
Clothing websites are most often targeted, followed by department stores, office merchandise suppliers, and accessory retailers. In addition, the media, entertainment, and banking sectors are all common victims of these types of attacks.


Another element of credential stuffing attacks which attackers can take advantage of is discount codes. Codes and promotions connected to compromised accounts may be stolen by hackers which can either hoard them for bulk sales or trade them at a later date.

CNET: Google calls Nest's hidden microphone an 'error'

When asked in a survey how enterprise players can respond to automated credential stuffing attacks, 71 percent of organizations said that implementing security measures which could prevent these attacks could "diminish" the experience for legitimate users.

In total, 32 percent of companies said they lacked visibility into credential stuffing, and 30 percent said they were unable to either detect or mitigate such attacks at all.

"The only way to stop these types of attacks is to get better at detection and mitigation when it comes to the bots themselves, and to focus on keeping users from sharing credentials between websites," the researchers say. "As long as passwords are recycled, credential stuffing and account takeovers (ATOs) will continue to be a steady criminal enterprise."

These are the worst hacks, cyberattacks, and data breaches of 2018

Previous and related coverage

Editorial standards