Credential stuffing has become a major vector for attacks against online services, but the media industry—particularly video-streaming services and video platforms—has been hard hit, with more than 88 billion login attempts across all industries during the 24 months of 2018 and 2019, according to a new report.
During the early days of the coronavirus pandemic, that climbed even higher, according to Internet infrastructure firm Akama's newly released data. In the first quarter of 2020, the average volume jumped by an order of magnitude, with Akamai's charts showing approximately 100 million attempts per day throughout the first quarter of 2020. (The company could not provide a more detailed average at the time of this posting).
Attackers not only sought access to video services, but also access to industry services—such as first-release movies—and data on the subscribers, such as their location.
The increase likely had to do with a combination of attackers having time ans an increase in demand for streaming content, says Steve Ragan, security researcher at Akamai.
"Credential stuffing is a low-hanging, high-reward type of attack," he says. "Easy to do, and if successful, a complete ATO [account takeover] is the result. The trends show that the problem is consistent and continuing to rise."
While much of the increase in the first quarter of 2020 can be attributed to a single campaign against a popular broadcast TV service—the identity of which Akamai declined to discuss—the overall trend underscores that digital services continues to be a major focus of credential-stuffing attacks. Such attacks attempt to use usernames and passwords stolen from one provider against other providers, in hopes that the victim reused their credentials across services.
"The criminal economy is a chained instance, where everything is connected somehow, and no piece of information is without worth," Akamai stated in the report. "Criminals prepackage their compromised accounts and sell them based on interest, location, and volume — and people are willing to pay, which only fuels the criminals' actions and keeps them hyper-focused on evading detection and mitigation."
Video services and platforms accounted for almost all credential-stuffing attacks targeting the media industry in the previous two years, but attacks on broadcast-TV access credentials skyrocketed in 2020, mainly due to a massive campaign of attacks against the single, undisclosed media company popular in Europe, Akamai stated in the report. Video platforms are major non-broadcast providers, while video services offer specific events. Akamai also broke out services based around broadcast TV.
In 2019, the largest attack by volume comprised of 68 million log-in attempts on June 18, 2019. In the first quarter of 2020, the vast majority of days surpassed that total, with a new high of 364 million attempts on March 26, 2020.
The larger volume of attacks seemingly translated into a large number of valid log-in credentials and depressed the value of such data in underground markets. While prices started the year at between $1 to $5 for a single video media account, those prices fell by the end of the quarter, as the "market became flush with new accounts and lists of recycled credentials," the report stated.
"Some can make hundreds or more a week, others make next to nothing," Ragan says. "But the larger players in the space, and the ones with exclusive access, they make a living off of this."
Publishers and music-streaming services were not spared the attention of attackers. In Q1 2020, non-video media services were targeted with about 70 million attacks per month, focused mostly on newspapers, Akamai stated in the report.
"Particularly of interest were the number of criminals who shared free access to various newspaper accounts to boost their own personal brand and reputations," the company said. "Criminals often give away working username and password combinations to various services as a means of self-promotion and branding."
Typically, when fraudsters gain access to a new block of stolen credentials, they will first try to attack financial accounts and video-streaming services, the company said. They will typically wait to try academic publishing, online news, and e-book services.
The growth in attacks affected certain countries more than others. More than 1.1 billion malicious logins targeting media services came from the United States in 2019, 393 million from France, and 243 million from Russia, with the first two countries seeing triple-digit growth, while Russia saw 67% growth in attacks, according to Akamai.
France's high ranking is somewhat of an anomaly, Ragan acknowledges. "At the time this report was written, there were a lot of cheap servers in France, and criminals likely took advantage of them at some point," Ragan says. "Akamai can only see the last hop of a given attack, so it is possible that while France was the exit, they originated somewhere else."
India topped the list of targeted countries with 2.4 billion attacks targeting the accounts of users in that country, followed by 1.4 billion for US users, and 124 million for UK users.
"As long as usernames and passwords exist, criminals are going to target them, placing consumers, organizations, and their valuable information at risk," Akamai says. "Password sharing and recycling are the largest contributing factors in these accounts, which is why awareness programs explaining the risks related to shared and recycled passwords are so important."
Users can stymy credential stuffing by not reusing passwords and by turning on multi-factor authentication for important services.
- The Evolving Threat of Credential Stuffing
- Hosting Provider Hit With Largest-Ever DDoS Attack
- Web Attacks Focus on SQL Injection, Malware on Credentials
- Credential-Stuffing Attacks Behind 30 Billion Login Attempts in 2018
- How Enterprises Are Developing and Maintaining Secure Applications
Register now for this year's fully virtual Black Hat USA, scheduled to take place August 1–6, and get more information about the event on the Black Hat website. Click for details on conference information and to register.