Story image

Streaming services prime targets for credential stuffing attacks

09 Apr 2019

Video and streaming services are prime targets for cyber attackers who attempt to conduct credential stuffing attacks, according to new research from Akamai.

Credential stuffing is when attackers use automated tools to test if stolen login information works on other websites – it takes advantage of the common poor password practice of using the same login details on multiple websites.

That stolen login information and credentials could be used for many different purposes – most often they are sold, traded, or harvested for personal information and available for sale on the dark web, says Akamai.

“Many accounts compromised via credential stuffing will sell for as little as $3.25 USD. These accounts come with a warranty: If the credentials don’t work once sold, they can be replaced at no cost, which is a service seller’s offer to encourage repeat purchases. The reason this service exists is that brands have become increasingly quick to detect compromised accounts and deactivate them,” the report states.

In 2018, three of the largest credential stuffing attacks against streaming services all occurred after reported data breaches. Those attacks ranged from 133 million to 200 million stuffing attempts, suggesting that attackers were testing stolen credentials before selling them on the black market.

"Hackers are very attracted to the high profile and value of online streaming services," explains Akamai director of security technology and strategy, Patrick Sullivan.

"Educating subscribers on the importance of using unique username and password combinations is one of the most effective measures businesses can take to mitigate credential abuse,” says Sullivan. 

“The good news is that organisations are taking the threat seriously and investigating security defences. Akamai offers its research and best practices to help these organizations who are facing significant brand and financial harm," he adds.

The report lists the United States as the top country of origin for the attacks, followed by Russia, Canada, Vietnam, India, Brazil, Malaysia, Indonesia, Germany, and China. 

The United States is also the top target, followed by India, Canada, Germany, Australia, Korea, China, Gibraltar, the Netherlands, Japan, Italy, France, and Hong Kong. 

Previous Akamai research noted that media, gaming and entertainment companies saw 11.6 billion attacks between May and December 2018.

“Partnering with a solid solutions provider to help detect and stop credential stuffing attacks is the obvious option to defend against such things. But addressing the credential stuffing threat isn’t a simple situation. An organisation needs to ensure a defensive solution is tailored to the business, as criminals will adjust their attacks accordingly to evade out-of-the-box configurations and basic mitigations,” the report states.

“And yet there is more to fixing the problem than a single vendor or set of products. Users need to be educated about credential stuffing attacks, phishing, and other risks that put their account information in jeopardy. Brands should stress the use of unique passwords and password managers to customers and highlight the value of multi-factor authentication. When discussing ATOs and AIO scripts, criminals often complain about the use of multi-factor authentication, which is a particularly effective method of stopping most of their attacks.”

“Constant reinforcement of these solutions, managed the same way any awareness program would, has worked for organisations in the financial and gaming industries.”

Statistics are from Akamai’s State of the Internet / Security: Credential Stuffing: Attacks and Economies – Special Media Report.

Industrial control component vulnerabilities up 30%
Positive Technologies says exploitation of these vulnerabilities could disturb operations by disrupting command transfer between components.
McAfee announces Google Cloud Platform support
McAfee MVISION Cloud now integrates with GCP Cloud SCC to help security professionals gain visibility and control over their cloud resources.
Why AI and behaviour analytics should be essential to enterprises
Cyber threats continue to increase in number and severity, prompting cybersecurity experts to seek new ways to stop malicious actors.
Scammers targeting more countries in sextortion scam - ESET
The attacker in the email claims they have hacked the intended victim's device, and have recorded the person while watching pornographic content.
Cryptojacking and failure to patch still major threats - Ixia
Compromised enterprise networks from unpatched vulnerabilities and bad security hygiene continued to be fertile ground for hackers in 2018.
Princeton study wants to know if you have a smart home - or a spy home
The IoT research team at Princeton University wants to know how your IoT devices send and receive data not only to each other, but also to any other third parties that may be involved.
Organisations not testing incident response plans – IBM Security
Failure to test can leave organisations less prepared to effectively manage the complex processes and coordination that must take place in the wake of an attack.
65% of manufacturers run outdated operating systems – Trend Micro
The report highlights the unique triple threat facing manufacturing, including the risks associated with IT, OT and IP.