Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


01:30 PM

Cybercriminals Targeted Streaming Services to Provide Pandemic Entertainment

Prior to 2020, about 1 in 5 credential attacks targeted video services, but that's nothing compared to the first quarter of 2020, according to newly published data.

Credential stuffing has become a major vector for attacks against online services, but the media industry—particularly video-streaming services and video platforms—has been hard hit, with more than 88 billion login attempts across all industries during the 24 months of 2018 and 2019, according to a new report.

During the early days of the coronavirus pandemic, that climbed even higher, according to Internet infrastructure firm Akama's newly released data. In the first quarter of 2020, the average volume jumped by an order of magnitude, with Akamai's charts showing approximately 100 million attempts per day throughout the first quarter of 2020. (The company could not provide a more detailed average at the time of this posting).

Attackers not only sought access to video services, but also access to industry services—such as first-release movies—and data on the subscribers, such as their location.  

The increase likely had to do with a combination of attackers having time ans an increase in demand for streaming content, says Steve Ragan, security researcher at Akamai.

"Credential stuffing is a low-hanging, high-reward type of attack," he says. "Easy to do, and if successful, a complete ATO [account takeover] is the result. The trends show that the problem is consistent and continuing to rise." 

While much of the increase in the first quarter of 2020 can be attributed to a single campaign against a popular broadcast TV service—the identity of which Akamai declined to discuss—the overall trend underscores that digital services continues to be a major focus of credential-stuffing attacks. Such attacks attempt to use usernames and passwords stolen from one provider against other providers, in hopes that the victim reused their credentials across services.

"The criminal economy is a chained instance, where everything is connected somehow, and no piece of information is without worth," Akamai stated in the report. "Criminals prepackage their compromised accounts and sell them based on interest, location, and volume — and people are willing to pay, which only fuels the criminals' actions and keeps them hyper-focused on evading detection and mitigation." 

Video services and platforms accounted for almost all credential-stuffing attacks targeting the media industry in the previous two years, but attacks on broadcast-TV access credentials skyrocketed in 2020, mainly due to a massive campaign of attacks against the single, undisclosed media company popular in Europe, Akamai stated in the report. Video platforms are major non-broadcast providers, while video services offer specific events. Akamai also broke out services based around broadcast TV.

Pandemic Spike

In 2019, the largest attack by volume comprised of 68 million log-in attempts on June 18, 2019. In the first quarter of 2020, the vast majority of days surpassed that total, with a new high of 364 million attempts on March 26, 2020.

The larger volume of attacks seemingly translated into a large number of valid log-in credentials and depressed the value of such data in underground markets. While prices started the year at between $1 to $5 for a single video media account, those prices fell by the end of the quarter, as the "market became flush with new accounts and lists of recycled credentials," the report stated.

"Some can make hundreds or more a week, others make next to nothing," Ragan says. "But the larger players in the space, and the ones with exclusive access, they make a living off of this."

Publishers and music-streaming services were not spared the attention of attackers. In Q1 2020, non-video media services were targeted with about 70 million attacks per month, focused mostly on newspapers, Akamai stated in the report.

"Particularly of interest were the number of criminals who shared free access to various newspaper accounts to boost their own personal brand and reputations," the company said. "Criminals often give away working username and password combinations to various services as a means of self-promotion and branding." 

Typically, when fraudsters gain access to a new block of stolen credentials, they will first try to attack financial accounts and video-streaming services, the company said. They will typically wait to try academic publishing, online news, and e-book services. 

The growth in attacks affected certain countries more than others. More than 1.1 billion malicious logins targeting media services came from the United States in 2019, 393 million from France, and 243 million from Russia, with the first two countries seeing triple-digit growth, while Russia saw 67% growth in attacks, according to Akamai.

France's high ranking is somewhat of an anomaly, Ragan acknowledges. "At the time this report was written, there were a lot of cheap servers in France, and criminals likely took advantage of them at some point," Ragan says. "Akamai can only see the last hop of a given attack, so it is possible that while France was the exit, they originated somewhere else." 

India topped the list of targeted countries with 2.4 billion attacks targeting the accounts of users in that country, followed by 1.4 billion for US users, and 124 million for UK users.

"As long as usernames and passwords exist, criminals are going to target them, placing consumers, organizations, and their valuable information at risk," Akamai says. "Password sharing and recycling are the largest contributing factors in these accounts, which is why awareness programs explaining the risks related to shared and recycled passwords are so important."

Users can stymy credential stuffing by not reusing passwords and by turning on multi-factor authentication for important services. 

Related Content




Register now for this year's fully virtual Black Hat USA, scheduled to take place August 1–6, and get more information about the event on the Black Hat website. Click for details on conference information and to register.

Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Ninja
7/20/2020 | 1:35:51 PM
Credential stuffing is effective but one reason being is because shady content repositories that can provide the same content are being shutdown as they break the law.

If that continues to occur the credential stuffing will continue to be common practice because it provides the malicious actor with basically an account spoof shield.
COVID-19: Latest Security News & Commentary
Dark Reading Staff 10/27/2020
Modern Day Insider Threat: Network Bugs That Are Stealing Your Data
David Pearson, Principal Threat Researcher,  10/21/2020
Are You One COVID-19 Test Away From a Cybersecurity Disaster?
Alan Brill, Senior Managing Director, Cyber Risk Practice, Kroll,  10/21/2020
Register for Dark Reading Newsletters
White Papers
Current Issue
Special Report: Computing's New Normal
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
How IT Security Organizations are Attacking the Cybersecurity Problem
How IT Security Organizations are Attacking the Cybersecurity Problem
The COVID-19 pandemic turned the world -- and enterprise computing -- on end. Here's a look at how cybersecurity teams are retrenching their defense strategies, rebuilding their teams, and selecting new technologies to stop the oncoming rise of online attacks.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2020-10-28
An Arbitrary File Upload in the Upload Image component in SourceCodester Car Rental Management System 1.0 allows the user to conduct remote code execution via admin/index.php?page=manage_car because .php files can be uploaded to admin/assets/uploads/ (under the web root).
PUBLISHED: 2020-10-28
The RandomGameUnit extension for MediaWiki through 1.35 was not properly escaping various title-related data. When certain varieties of games were created within MediaWiki, their names or titles could be manipulated to generate stored XSS within the RandomGameUnit extension.
PUBLISHED: 2020-10-27
The search functionality of the Greenmart theme 2.4.2 for WordPress is vulnerable to XSS.
PUBLISHED: 2020-10-27
This issue was addressed with improved checks to prevent unauthorized actions. This issue is fixed in Apple Music 3.4.0 for Android. A malicious application may be able to leak a user's credentials.
PUBLISHED: 2020-10-27
An access issue was addressed with improved access restrictions. This issue is fixed in macOS Catalina 10.15.3, Security Update 2020-001 Mojave, Security Update 2020-001 High Sierra. A malicious application may be able to overwrite arbitrary files.