New research has emerged claiming that the travel, hospitality and retail industries have been hit by 64 billion cyber attacks in the form of credential stuffing campaigns.
Researchers at Akamai say that more than 60% of the total credential stuffing attacks launched on organisations around the world were targeted at the travel, hospitality and retail industries, with cyber attacks looking to compromise an organisation’s system with login details either stolen or purchased online.
The online security company says in its latest ‘Loyalty for Sale’ report that between July 2018 and June 2020, it recorded more than 100 billion credential stuffing cyber attacks. Of this total, more than 64 billion cyber attacks were targeted at organisations operating in the travel, hospitality and retail industries, with ‘credential stuffing’ campaigns to access sensitive information and personal data.
Akamai also says that of this total, 90% of the attacks were targeted at the retail industry, strongly suggesting that it is the most vulnerable industry to credential stuffing campaigns and cyber attacks, most likely due to the sheer volume of data and financial information they store on their systems.
“The most remarkable aspect of credential stuffing is that a given business does not have to be breached itself to suffer from credential stuffing; the vulnerability is simply having a login form and having users,” Scott Matteson – former U.S. Deputy Secretary of Defense
Steve Ragan, security researcher and lead author of the report has said that “criminals are not picky – anything that can be accessed can be used in some way.”
“This is why credential stuffing has become so popular over the past few years. These days, retail and loyalty profiles contain a smorgasbord of personal information, and in some cases, financial information, too. All of this data can be collected, sold and traded, or even compiled for extensive profiles that can later be used for crimes such as identity theft,” Ragan said.
The report states that amid the COVID-19 pandemic, cyber criminals found an opportunity in the form of higher than usual traffic and purchases online, which prompted them to accelerate the frequency of their cyber attacks and credential stuffing campaigns.
Akamai’s Amanda Fakhreddine writes that “criminals aren’t afraid to use our loyalty against us,” adding that “loyalty programs have the additional problem with perception, as many consumers don’t think of them as high risk, and are more likely to use weak passwords or mirror accounts they’re using with another organisation.”
“They retail, hospitality and travel industries are consistently targeted by criminals because they have access to assets that are easily turned into commodities,” Fakhreddine continued to explain. “These assets could be personal information, financial information, brand-based loyalty programs, or all of them combined.”
Wrapping up, she concluded that “the constant back-and-forth between defenders in the retail, travel and hospitality industries and criminals isn’t going away.”
How does Credential Stuffing Work?
According to a report from Tech Republic “credential stuffing is the weaponization of stolen credentials (usernames and passwords) against websites and mobile applications. Lists of credentials stolen from one website are tested against other websites’ login pages to gain unauthorized access to accounts, in order to commit fraud.”
Scott Matteson, who worked as President Obama’s Deputy Secretary of Defense has said that “the most remarkable aspect of credential stuffing is that a given business does not have to be breached itself to suffer from credential stuffing; the vulnerability is simply having a login form and having users.”
Tech Republic’s report estimates that there are more than 15 billion credentials being sold online at any given time, offered both for free and for purchase.