Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

7/17/2020
01:30 PM
100%
0%

Cybercriminals Targeted Streaming Services to Provide Pandemic Entertainment

Prior to 2020, about 1 in 5 credential attacks targeted video services, but that's nothing compared to the first quarter of 2020, according to newly published data.

Credential stuffing has become a major vector for attacks against online services, but the media industry—particularly video-streaming services and video platforms—has been hard hit, with more than 88 billion login attempts across all industries during the 24 months of 2018 and 2019, according to a new report.

During the early days of the coronavirus pandemic, that climbed even higher, according to Internet infrastructure firm Akama's newly released data. In the first quarter of 2020, the average volume jumped by an order of magnitude, with Akamai's charts showing approximately 100 million attempts per day throughout the first quarter of 2020. (The company could not provide a more detailed average at the time of this posting).

Attackers not only sought access to video services, but also access to industry services—such as first-release movies—and data on the subscribers, such as their location.  

The increase likely had to do with a combination of attackers having time ans an increase in demand for streaming content, says Steve Ragan, security researcher at Akamai.

"Credential stuffing is a low-hanging, high-reward type of attack," he says. "Easy to do, and if successful, a complete ATO [account takeover] is the result. The trends show that the problem is consistent and continuing to rise." 

While much of the increase in the first quarter of 2020 can be attributed to a single campaign against a popular broadcast TV service—the identity of which Akamai declined to discuss—the overall trend underscores that digital services continues to be a major focus of credential-stuffing attacks. Such attacks attempt to use usernames and passwords stolen from one provider against other providers, in hopes that the victim reused their credentials across services.

"The criminal economy is a chained instance, where everything is connected somehow, and no piece of information is without worth," Akamai stated in the report. "Criminals prepackage their compromised accounts and sell them based on interest, location, and volume — and people are willing to pay, which only fuels the criminals' actions and keeps them hyper-focused on evading detection and mitigation." 

Video services and platforms accounted for almost all credential-stuffing attacks targeting the media industry in the previous two years, but attacks on broadcast-TV access credentials skyrocketed in 2020, mainly due to a massive campaign of attacks against the single, undisclosed media company popular in Europe, Akamai stated in the report. Video platforms are major non-broadcast providers, while video services offer specific events. Akamai also broke out services based around broadcast TV.

Pandemic Spike

In 2019, the largest attack by volume comprised of 68 million log-in attempts on June 18, 2019. In the first quarter of 2020, the vast majority of days surpassed that total, with a new high of 364 million attempts on March 26, 2020.

The larger volume of attacks seemingly translated into a large number of valid log-in credentials and depressed the value of such data in underground markets. While prices started the year at between $1 to $5 for a single video media account, those prices fell by the end of the quarter, as the "market became flush with new accounts and lists of recycled credentials," the report stated.

"Some can make hundreds or more a week, others make next to nothing," Ragan says. "But the larger players in the space, and the ones with exclusive access, they make a living off of this."

Publishers and music-streaming services were not spared the attention of attackers. In Q1 2020, non-video media services were targeted with about 70 million attacks per month, focused mostly on newspapers, Akamai stated in the report.

"Particularly of interest were the number of criminals who shared free access to various newspaper accounts to boost their own personal brand and reputations," the company said. "Criminals often give away working username and password combinations to various services as a means of self-promotion and branding." 

Typically, when fraudsters gain access to a new block of stolen credentials, they will first try to attack financial accounts and video-streaming services, the company said. They will typically wait to try academic publishing, online news, and e-book services. 

The growth in attacks affected certain countries more than others. More than 1.1 billion malicious logins targeting media services came from the United States in 2019, 393 million from France, and 243 million from Russia, with the first two countries seeing triple-digit growth, while Russia saw 67% growth in attacks, according to Akamai.

France's high ranking is somewhat of an anomaly, Ragan acknowledges. "At the time this report was written, there were a lot of cheap servers in France, and criminals likely took advantage of them at some point," Ragan says. "Akamai can only see the last hop of a given attack, so it is possible that while France was the exit, they originated somewhere else." 

India topped the list of targeted countries with 2.4 billion attacks targeting the accounts of users in that country, followed by 1.4 billion for US users, and 124 million for UK users.

"As long as usernames and passwords exist, criminals are going to target them, placing consumers, organizations, and their valuable information at risk," Akamai says. "Password sharing and recycling are the largest contributing factors in these accounts, which is why awareness programs explaining the risks related to shared and recycled passwords are so important."

Users can stymy credential stuffing by not reusing passwords and by turning on multi-factor authentication for important services. 

Related Content

 

 

 

Register now for this year's fully virtual Black Hat USA, scheduled to take place August 1–6, and get more information about the event on the Black Hat website. Click for details on conference information and to register.

Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
RyanSepe
50%
50%
RyanSepe,
User Rank: Ninja
7/20/2020 | 1:35:51 PM
Undetected
Credential stuffing is effective but one reason being is because shady content repositories that can provide the same content are being shutdown as they break the law.

If that continues to occur the credential stuffing will continue to be common practice because it provides the malicious actor with basically an account spoof shield.
When It Comes To Security Tools, More Isn't More
Lamont Orange, Chief Information Security Officer at Netskope,  1/11/2021
US Capitol Attack a Wake-up Call for the Integration of Physical & IT Security
Seth Rosenblatt, Contributing Writer,  1/11/2021
IoT Vendor Ubiquiti Suffers Data Breach
Dark Reading Staff 1/11/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
2020: The Year in Security
Download this Tech Digest for a look at the biggest security stories that - so far - have shaped a very strange and stressful year.
Flash Poll
Assessing Cybersecurity Risk in Today's Enterprises
Assessing Cybersecurity Risk in Today's Enterprises
COVID-19 has created a new IT paradigm in the enterprise -- and a new level of cybersecurity risk. This report offers a look at how enterprises are assessing and managing cyber-risk under the new normal.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-3166
PUBLISHED: 2021-01-18
An issue was discovered on ASUS DSL-N14U-B1 1.1.2.3_805 devices. An attacker can upload arbitrary file content as a firmware update when the filename Settings_DSL-N14U-B1.trx is used. Once this file is loaded, shutdown measures on a wide range of services are triggered as if it were a real update, r...
CVE-2020-29446
PUBLISHED: 2021-01-18
Affected versions of Atlassian Fisheye & Crucible allow remote attackers to browse local files via an Insecure Direct Object References (IDOR) vulnerability in the WEB-INF directory. The affected versions are before version 4.8.5.
CVE-2020-15864
PUBLISHED: 2021-01-17
An issue was discovered in Quali CloudShell 9.3. An XSS vulnerability in the login page allows an attacker to craft a URL, with a constructor.constructor substring in the username field, that executes a payload when the user visits the /Account/Login page.
CVE-2021-3113
PUBLISHED: 2021-01-17
Netsia SEBA+ through 0.16.1 build 70-e669dcd7 allows remote attackers to discover session cookies via a direct /session/list/allActiveSession request. For example, the attacker can discover the admin's cookie if the admin account happens to be logged in when the allActiveSession request occurs, and ...
CVE-2020-25533
PUBLISHED: 2021-01-15
An issue was discovered in Malwarebytes before 4.0 on macOS. A malicious application was able to perform a privileged action within the Malwarebytes launch daemon. The privileged service improperly validated XPC connections by relying on the PID instead of the audit token. An attacker can construct ...