Streaming services prime targets for credential stuffing attacks
Video and streaming services are prime targets for cyber attackers who attempt to conduct credential stuffing attacks, according to new research from Akamai.
Credential stuffing is when attackers use automated tools to test if stolen login information works on other websites – it takes advantage of the common poor password practice of using the same login details on multiple websites.
That stolen login information and credentials could be used for many different purposes – most often they are sold, traded, or harvested for personal information and available for sale on the dark web, says Akamai.
"Many accounts compromised via credential stuffing will sell for as little as $3.25 USD. These accounts come with a warranty: If the credentials don't work once sold, they can be replaced at no cost, which is a service seller's offer to encourage repeat purchases. The reason this service exists is that brands have become increasingly quick to detect compromised accounts and deactivate them," the report states.
In 2018, three of the largest credential stuffing attacks against streaming services all occurred after reported data breaches. Those attacks ranged from 133 million to 200 million stuffing attempts, suggesting that attackers were testing stolen credentials before selling them on the black market.
"Hackers are very attracted to the high profile and value of online streaming services," explains Akamai director of security technology and strategy, Patrick Sullivan.
"Educating subscribers on the importance of using unique username and password combinations is one of the most effective measures businesses can take to mitigate credential abuse," says Sullivan.
"The good news is that organisations are taking the threat seriously and investigating security defences. Akamai offers its research and best practices to help these organizations who are facing significant brand and financial harm," he adds.
The report lists the United States as the top country of origin for the attacks, followed by Russia, Canada, Vietnam, India, Brazil, Malaysia, Indonesia, Germany, and China.
The United States is also the top target, followed by India, Canada, Germany, Australia, Korea, China, Gibraltar, the Netherlands, Japan, Italy, France, and Hong Kong.
Previous Akamai research noted that media, gaming and entertainment companies saw 11.6 billion attacks between May and December 2018.
"Partnering with a solid solutions provider to help detect and stop credential stuffing attacks is the obvious option to defend against such things. But addressing the credential stuffing threat isn't a simple situation. An organisation needs to ensure a defensive solution is tailored to the business, as criminals will adjust their attacks accordingly to evade out-of-the-box configurations and basic mitigations," the report states.
"And yet there is more to fixing the problem than a single vendor or set of products. Users need to be educated about credential stuffing attacks, phishing, and other risks that put their account information in jeopardy. Brands should stress the use of unique passwords and password managers to customers and highlight the value of multi-factor authentication. When discussing ATOs and AIO scripts, criminals often complain about the use of multi-factor authentication, which is a particularly effective method of stopping most of their attacks.
"Constant reinforcement of these solutions, managed the same way any awareness program would, has worked for organisations in the financial and gaming industries.
Statistics are from Akamai's State of the Internet / Security: Credential Stuffing: Attacks and Economies – Special Media Report.