Akamai recently published a report detailing criminal activity targeting the retail, travel, and hospitality market segments with attacks of all types and sizes between July 2018 and June 2020. The report also includes numerous examples of criminal ads from the Dark web illustrating how they cash in on the results from successful attacks and the corresponding data theft.
So, what is credential stuffing? Please visit and read our full report at: https://redskyalliance.org/xindustry/credential-stuffing
“Criminals are not picky anything that can be accessed can be used in some way,” as seen in the Akamai State of the Internet / Security report. “This is why credential stuffing has become so popular over the past few years. These days, retail and loyalty profiles contain a smorgasbord of personal information, and in some cases financial information, such as stored credit card numbers. All of this data can be collected, sold, and traded or even compiled for extensive profiles that can later be used for crimes such as identity theft.”
Credential stuffing is the automated injection of breached username/password pairs to fraudulently gain access to user accounts. This is a subset of the brute force attack category: large numbers of spilled credentials are automatically entered into websites until they are potentially matched to an existing account, which the attacker can then hijack for their own purposes. |
During the COVID-19 pandemic-related lockdowns in Q1 2020, criminals took advantage of the worldwide situation and circulated password combination lists, targeting each of the commerce industries featured in the report. During this time criminals began recirculating old credential lists to identify new vulnerable accounts, which lead to a significant uptick in criminal inventory and sales related to loyalty programs. Between July 2018 and June 2020, more than 100 billion credential stuffing attacks were observed. In the commerce market segment, comprising retail, travel, and hospitality industries, there were 63 billion recorded. More than 90 percent of the attacks in the commerce category targeted retail entities.
Credential stuffing is not the only way that criminals target the retail, travel, and hospitality businesses. They target organizations at the source using SQL Injection (SQLi) and Local File Inclusion (LFI) attacks. Between July 2018 and June 2020, 4 billion web attacks against retail, travel, and hospitality were observed, accounting for 41 percent of the overall attack volume across all industries. Within this data set, 83 percent of those web attacks targeted the retail sector alone. SQLi attacks are an evident favorite among criminals, accounting for just under 79 percent of the total web application attacks against retail, travel, and hospitality.[1]
As the global and domestic economies prepare for the 2020 holiday shopping season, it is dealing with an environment that has changed entirely due to the pandemic lock downs and fears of infection. It is estimated that this buying season will be the largest on-line/eCommerce holiday season ever. Consumers will not be standing outside of brick and mortar stores waiting for the latest deals in the same way they have in past seasons. They are going to log-in, collect their reward points, and hopefully use loyalty programs to gain some discounts or other perks just for being a member.
Considering everything that goes into a successful loyalty program, and the information people need to provide in order to take part, the criminals have exactly what they need to begin a number of crime-related profitable ventures, from account takeovers, to identity theft. While an individual’s loyalty to a merchant, airline, or hotel chain might not literally be for sale, there is a high probability that the account associated with such programs might be available. Analysts are warning, “All businesses need to adapt to external events, whether it’s a pandemic, a competitor, or an active and intelligent attacker. Some of the top loyalty programs targeted require nothing more than a mobile number and a numeric password, while others rely on easily obtained information as a means of authentication. There is an urgent need for better identity controls and countermeasures to prevent attacks against APIs and server resources.”
If an on-line offer or coupon seems too good to be true, please beware it most likely is not legitimate. Cyber actors are planning to fill your email account mailboxes and cell phones with offers that are only a “Click Away.” If you fall for it, your device will quickly be compromised. If a coupon or “Deal” is real, it will be posted on the merchant’s web site. A good rule of thumb is to take the extra few minutes to confirm an offer with the merchant or manufacturer. The cyber thieves also promote spoofed web sites that look “Just like the real web site,” to trick buyers into entering credit card information. Caveat Emptor, or ‘Let the Buyer Beware’ for the holiday and post-holiday buying seasons.
Current Real-Life Example - Several Koodo[2] customers received concerning emails from the carrier on 3 November 2020 about locking down their accounts after Koodo detected suspicious attempts to log in. Koodo is a Canadian mobile app. The emails read, “We have learned that there have been recent attempts to login to your account using valid credentials (your username and password) that originated from a suspicious source. Our investigation has revealed that your credentials were not shared by Koodo with any unauthorized user.” Koodo also explains in the email that it locked users accounts to protect them from the login attempts. The emails direct customers to reset their passwords. Unfortunately, the email did not provide much explanation about what happened. Some users took to Twitter to ask if Koodo had been hacked. One user called into Koodo to reset a password, and a representative told her it was a “glitch” with the Self-Serve system and there was nothing to worry about. That was not 100 percent accurate. Koodo says it locked down accounts after detecting a ‘credential stuffing’ attack and Koodo confirmed to MobileSyrup that there was an attack (a “credential stuffing” attack).[3]
Having tools and services looking in the deep/dark web is essential to a well-rounded cyber protection plan. Insider threat information must be checked in the deep/dark Internet. The installation, updating and monitoring of firewalls, cyber security and proper employee training are keys to blocking attacks, yet utilizing the RedXray and CTAC collection and analysis tools by Red Sky Alliance, will ensure a proactive approach to cyber security. Please feel free to contact our analyst team for research assistance and Cyber Threat Analysis on your organization.
Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization. For questions, comments or assistance, please contact the lab directly at 1-844-492-7225, or feedback@wapacklabs.com
Weekly Cyber Intelligence Briefings:
https://attendee.gotowebinar.com/register/8782169210544615949
- Reporting: https://www.redskyalliance.org/
- Website: https://www.wapacklabs.com/
- LinkedIn: https://www.linkedin.com/company/64265941
[1] https://www.helpnetsecurity.com/2020/10/23/63-billion-credential-stuffing-attacks-hit-retail-hospitality-travel-industries/
[2] Koodo Mobile is a Canadian mobile flanker (multi-branding) brand started by Telus in 2008 and mostly oriented toward younger customers. Koodo differs from its parent Telus by not requiring a fixed term contract. Koodo currently provides postpaid, prepaid, and wireless home phone services. Being a subsidiary of Telus, Koodo has been able to offer extensive coverage and a strong presence in mobile retailers. This allowed Koodo to gain a presence nationwide.
[3] https://mobilesyrup.com/2020/11/04/koodo-locked-accounts-credential-stuffing/
Comments