91% of login attempts on retail sites carried out by credential stuffing hackers
3 August 2018
Over 90 percent of login attempts on websites owned by online retailers are made by cyber criminals looking to gain access to loyalty points, offers, and deals made available by retailers for genuine customers.
Cyber criminals are using credentials stolen from data breaches on a large-scale to gain access to victims’ accounts with online retailers, airline companies, banks, and hotels in order to profit at the victims’ expense, security firm Shape Security’s 2018 Credential Spill Report has revealed.
‘Credential stuffing’ in full swing
As per the report, “credential stuffing” attacks, or login attempts made by fraudsters using stolen credentials, accounted for 91 percent of all login attempts on online retailers’ websites, 60 percent of all login attempts on airline companies’ websites, 58 percent of attempts on banking sites, and 44 percent of login attempts on websites owned by hotels.
Based on an analysis of 1.6 billion accounts, Shape Security found that well-planned and targeted credential stuffing attacks also cost organisations dear as about 3 percent of such attacks usually succeed. E-commerce retailers lose an average of $6 billion a year, banks lose $1.7 billion a year, and hotel and airline companies lose $700 million every year to credential stuffing attacks.
Such attacks are a direct fallout of massive data breaches suffered by large organisations on a regular basis. Data breaches compromise billions of email addresses and other personal details of consumers every year and such details are used by cyber criminals and fraudsters to commit identity fraud, credential stuffing, and phishing attacks on a large scale.
“Credential stuffing has become an increasingly popular attack vector powering a robust and complex criminal ecosystem. Data breaches have become pervasive over the last few years, but what most people don’t realize is the domino effect of damage that a single breach is capable of producing,” says Shuman Ghosemajumder, CTO of Shape Security.
“To fight back, organisations have started banding together to build a collective defense to be alerted when credentials stolen from one breach are being used to log in to another, effectively blocking attackers attempting to access their platforms with compromised credentials,” he adds.
Considering that credential stuffing attacks result in financial gain, cyber criminals have a great incentive to regularly target enterprise systems and employees to gain access to as much customer data as possible, a reality that has forced many countries to bring in tough data protection laws to force firms to strengthen their data handling practices.
According to Shape Security, web forums suffered as many as 13 credential data breaches in 2017, followed by 11 suffered by online services, 7 suffered by social media companies, 4 suffered by gaming companies, and 4 by major retailers. Curiously, while adult and porn websites suffered 10 credential breaches in 2016, they suffered none last year.
15 months to detect data breaches
In all, over 2.3 billion usernames and passwords were stolen by cyber criminals from 51 organisations in 2017, costing the US consumer banking industry nearly $50 million per day. Considering that it takes an average of 15 months for organisations to discover credential breaches, criminals get enough time to monetise their account takeovers.
For instance, hackers gained unauthorised access to Rail Europe North America’s e-commerce website and for three straight months, feasted on sensitive customer data such as name, gender, delivery address, invoicing address, telephone number, email address, credit/debit card number, expiration date and CVV of customers. The breach was finally plugged after the firm was alerted about a possible breach by one of its banks.
Similarly, hackers stole a treasure trove of customer data from September 29 to December 29 in 2016 after they hacked into InterContinental Hotels Group’s servers. Just like Rail Europe, IHG learned about the breach after it was alerted about it by one of its card providers.
Unless organisations adopt new security solutions that can help them detect breaches and unwanted intrusions in enterprise systems quickly, they will continue to lose large amounts of customer data which will, in turn, be used by criminals to carry out credential stuffing attacks, thereby inflicting further losses on enterprises.