Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

7/17/2020
01:30 PM
100%
0%

Cybercriminals Targeted Streaming Services to Provide Pandemic Entertainment

Prior to 2020, about 1 in 5 credential attacks targeted video services, but that's nothing compared to the first quarter of 2020, according to newly published data.

Credential stuffing has become a major vector for attacks against online services, but the media industry—particularly video-streaming services and video platforms—has been hard hit, with more than 88 billion login attempts across all industries during the 24 months of 2018 and 2019, according to a new report.

During the early days of the coronavirus pandemic, that climbed even higher, according to Internet infrastructure firm Akama's newly released data. In the first quarter of 2020, the average volume jumped by an order of magnitude, with Akamai's charts showing approximately 100 million attempts per day throughout the first quarter of 2020. (The company could not provide a more detailed average at the time of this posting).

Attackers not only sought access to video services, but also access to industry services—such as first-release movies—and data on the subscribers, such as their location.  

The increase likely had to do with a combination of attackers having time ans an increase in demand for streaming content, says Steve Ragan, security researcher at Akamai.

"Credential stuffing is a low-hanging, high-reward type of attack," he says. "Easy to do, and if successful, a complete ATO [account takeover] is the result. The trends show that the problem is consistent and continuing to rise." 

While much of the increase in the first quarter of 2020 can be attributed to a single campaign against a popular broadcast TV service—the identity of which Akamai declined to discuss—the overall trend underscores that digital services continues to be a major focus of credential-stuffing attacks. Such attacks attempt to use usernames and passwords stolen from one provider against other providers, in hopes that the victim reused their credentials across services.

"The criminal economy is a chained instance, where everything is connected somehow, and no piece of information is without worth," Akamai stated in the report. "Criminals prepackage their compromised accounts and sell them based on interest, location, and volume — and people are willing to pay, which only fuels the criminals' actions and keeps them hyper-focused on evading detection and mitigation." 

Video services and platforms accounted for almost all credential-stuffing attacks targeting the media industry in the previous two years, but attacks on broadcast-TV access credentials skyrocketed in 2020, mainly due to a massive campaign of attacks against the single, undisclosed media company popular in Europe, Akamai stated in the report. Video platforms are major non-broadcast providers, while video services offer specific events. Akamai also broke out services based around broadcast TV.

Pandemic Spike

In 2019, the largest attack by volume comprised of 68 million log-in attempts on June 18, 2019. In the first quarter of 2020, the vast majority of days surpassed that total, with a new high of 364 million attempts on March 26, 2020.

The larger volume of attacks seemingly translated into a large number of valid log-in credentials and depressed the value of such data in underground markets. While prices started the year at between $1 to $5 for a single video media account, those prices fell by the end of the quarter, as the "market became flush with new accounts and lists of recycled credentials," the report stated.

"Some can make hundreds or more a week, others make next to nothing," Ragan says. "But the larger players in the space, and the ones with exclusive access, they make a living off of this."

Publishers and music-streaming services were not spared the attention of attackers. In Q1 2020, non-video media services were targeted with about 70 million attacks per month, focused mostly on newspapers, Akamai stated in the report.

"Particularly of interest were the number of criminals who shared free access to various newspaper accounts to boost their own personal brand and reputations," the company said. "Criminals often give away working username and password combinations to various services as a means of self-promotion and branding." 

Typically, when fraudsters gain access to a new block of stolen credentials, they will first try to attack financial accounts and video-streaming services, the company said. They will typically wait to try academic publishing, online news, and e-book services. 

The growth in attacks affected certain countries more than others. More than 1.1 billion malicious logins targeting media services came from the United States in 2019, 393 million from France, and 243 million from Russia, with the first two countries seeing triple-digit growth, while Russia saw 67% growth in attacks, according to Akamai.

France's high ranking is somewhat of an anomaly, Ragan acknowledges. "At the time this report was written, there were a lot of cheap servers in France, and criminals likely took advantage of them at some point," Ragan says. "Akamai can only see the last hop of a given attack, so it is possible that while France was the exit, they originated somewhere else." 

India topped the list of targeted countries with 2.4 billion attacks targeting the accounts of users in that country, followed by 1.4 billion for US users, and 124 million for UK users.

"As long as usernames and passwords exist, criminals are going to target them, placing consumers, organizations, and their valuable information at risk," Akamai says. "Password sharing and recycling are the largest contributing factors in these accounts, which is why awareness programs explaining the risks related to shared and recycled passwords are so important."

Users can stymy credential stuffing by not reusing passwords and by turning on multi-factor authentication for important services. 

Related Content

 

 

 

Register now for this year's fully virtual Black Hat USA, scheduled to take place August 1–6, and get more information about the event on the Black Hat website. Click for details on conference information and to register.

Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
RyanSepe
50%
50%
RyanSepe,
User Rank: Ninja
7/20/2020 | 1:35:51 PM
Undetected
Credential stuffing is effective but one reason being is because shady content repositories that can provide the same content are being shutdown as they break the law.

If that continues to occur the credential stuffing will continue to be common practice because it provides the malicious actor with basically an account spoof shield.
COVID-19: Latest Security News & Commentary
Dark Reading Staff 7/31/2020
'BootHole' Vulnerability Exposes Secure Boot Devices to Attack
Kelly Sheridan, Staff Editor, Dark Reading,  7/29/2020
Out-of-Date and Unsupported Cloud Workloads Continue as a Common Weakness
Robert Lemos, Contributing Writer,  7/28/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Special Report: Computing's New Normal, a Dark Reading Perspective
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
The Threat from the Internetand What Your Organization Can Do About It
The Threat from the Internetand What Your Organization Can Do About It
This report describes some of the latest attacks and threats emanating from the Internet, as well as advice and tips on how your organization can mitigate those threats before they affect your business. Download it today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-14310
PUBLISHED: 2020-07-31
There is an issue on grub2 before version 2.06 at function read_section_as_string(). It expects a font name to be at max UINT32_MAX - 1 length in bytes but it doesn't verify it before proceed with buffer allocation to read the value from the font value. An attacker may leverage that by crafting a ma...
CVE-2020-14311
PUBLISHED: 2020-07-31
There is an issue with grub2 before version 2.06 while handling symlink on ext filesystems. A filesystem containing a symbolic link with an inode size of UINT32_MAX causes an arithmetic overflow leading to a zero-sized memory allocation with subsequent heap-based buffer overflow.
CVE-2020-5413
PUBLISHED: 2020-07-31
Spring Integration framework provides Kryo Codec implementations as an alternative for Java (de)serialization. When Kryo is configured with default options, all unregistered classes are resolved on demand. This leads to the "deserialization gadgets" exploit when provided data contains mali...
CVE-2020-5414
PUBLISHED: 2020-07-31
VMware Tanzu Application Service for VMs (2.7.x versions prior to 2.7.19, 2.8.x versions prior to 2.8.13, and 2.9.x versions prior to 2.9.7) contains an App Autoscaler that logs the UAA admin password. This credential is redacted on VMware Tanzu Operations Manager; however, the unredacted logs are a...
CVE-2019-11286
PUBLISHED: 2020-07-31
VMware GemFire versions prior to 9.10.0, 9.9.1, 9.8.5, and 9.7.5, and VMware Tanzu GemFire for VMs versions prior to 1.11.0, 1.10.1, 1.9.2, and 1.8.2, contain a JMX service available to the network which does not properly restrict input. A remote authenticated malicious user may request against the ...