Credential stuffing attacks are on the rise and cybercriminals are smartly utilizing this attack vector as a stepping stone for more substantial intrusions. Recently, a report by Akamai disclosed that over 100 billion credential stuffing attempts were detected between July 1, 2018, and June 30, 2020.
What has been disclosed?
The report disclosed that more than 60% of credential stuffing attacks were aimed at various businesses in the last two years.
- Around 64 billion attempts (out of 100 billion) were aimed at cracking open user accounts in the retail, travel, and hospitality sectors. Furthermore, loyalty and reward-related programs faced full-scale credential-stuffing attacks.
- The retail sector remained the most affected by these attacks as retail accounts usually contain a trove of critical personal and financial information. Such information is sold online or used in identity theft attacks.
- During the coronavirus pandemic’s early days, online sites were flooded with consumers. To exploit this opportunity, the cybercriminals started using old credential lists to identify new vulnerable and exposed accounts.
- Along with credential-stuffing attacks, cybercriminals attempted to compromise targeted sites via two other web attacks including SQL injection and local file inclusion attacks.
Credential stuffing attacks are still ongoing and being used to hijack victims’ online accounts. A month ago, the FBI issued a warning for financial organizations about a rise in credential stuffing attacks.
- Recently, a retail company, Sam's Club, started sending automated password reset emails and security notifications to their customers after they were affected by credential stuffing attacks.
- Last month, some hackers gained access to a federal agency's internal networks via compromised credentials of Office 365, domain administrator accounts, and Pulse Secure VPN server.
Cybercriminals are taking advantage of the current situation where businesses and users are making a rapid transition to digital platforms. Thus, experts suggest enabling multi-factor authentication and using a password manager for better security. It is also recommended to avoid using the same password for multiple online accounts.