Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


01:30 PM

Cybercriminals Targeted Streaming Services to Provide Pandemic Entertainment

Prior to 2020, about 1 in 5 credential attacks targeted video services, but that's nothing compared to the first quarter of 2020, according to newly published data.

Credential stuffing has become a major vector for attacks against online services, but the media industry—particularly video-streaming services and video platforms—has been hard hit, with more than 88 billion login attempts across all industries during the 24 months of 2018 and 2019, according to a new report.

During the early days of the coronavirus pandemic, that climbed even higher, according to Internet infrastructure firm Akama's newly released data. In the first quarter of 2020, the average volume jumped by an order of magnitude, with Akamai's charts showing approximately 100 million attempts per day throughout the first quarter of 2020. (The company could not provide a more detailed average at the time of this posting).

Attackers not only sought access to video services, but also access to industry services—such as first-release movies—and data on the subscribers, such as their location.  

The increase likely had to do with a combination of attackers having time ans an increase in demand for streaming content, says Steve Ragan, security researcher at Akamai.

"Credential stuffing is a low-hanging, high-reward type of attack," he says. "Easy to do, and if successful, a complete ATO [account takeover] is the result. The trends show that the problem is consistent and continuing to rise." 

While much of the increase in the first quarter of 2020 can be attributed to a single campaign against a popular broadcast TV service—the identity of which Akamai declined to discuss—the overall trend underscores that digital services continues to be a major focus of credential-stuffing attacks. Such attacks attempt to use usernames and passwords stolen from one provider against other providers, in hopes that the victim reused their credentials across services.

"The criminal economy is a chained instance, where everything is connected somehow, and no piece of information is without worth," Akamai stated in the report. "Criminals prepackage their compromised accounts and sell them based on interest, location, and volume — and people are willing to pay, which only fuels the criminals' actions and keeps them hyper-focused on evading detection and mitigation." 

Video services and platforms accounted for almost all credential-stuffing attacks targeting the media industry in the previous two years, but attacks on broadcast-TV access credentials skyrocketed in 2020, mainly due to a massive campaign of attacks against the single, undisclosed media company popular in Europe, Akamai stated in the report. Video platforms are major non-broadcast providers, while video services offer specific events. Akamai also broke out services based around broadcast TV.

Pandemic Spike

In 2019, the largest attack by volume comprised of 68 million log-in attempts on June 18, 2019. In the first quarter of 2020, the vast majority of days surpassed that total, with a new high of 364 million attempts on March 26, 2020.

The larger volume of attacks seemingly translated into a large number of valid log-in credentials and depressed the value of such data in underground markets. While prices started the year at between $1 to $5 for a single video media account, those prices fell by the end of the quarter, as the "market became flush with new accounts and lists of recycled credentials," the report stated.

"Some can make hundreds or more a week, others make next to nothing," Ragan says. "But the larger players in the space, and the ones with exclusive access, they make a living off of this."

Publishers and music-streaming services were not spared the attention of attackers. In Q1 2020, non-video media services were targeted with about 70 million attacks per month, focused mostly on newspapers, Akamai stated in the report.

"Particularly of interest were the number of criminals who shared free access to various newspaper accounts to boost their own personal brand and reputations," the company said. "Criminals often give away working username and password combinations to various services as a means of self-promotion and branding." 

Typically, when fraudsters gain access to a new block of stolen credentials, they will first try to attack financial accounts and video-streaming services, the company said. They will typically wait to try academic publishing, online news, and e-book services. 

The growth in attacks affected certain countries more than others. More than 1.1 billion malicious logins targeting media services came from the United States in 2019, 393 million from France, and 243 million from Russia, with the first two countries seeing triple-digit growth, while Russia saw 67% growth in attacks, according to Akamai.

France's high ranking is somewhat of an anomaly, Ragan acknowledges. "At the time this report was written, there were a lot of cheap servers in France, and criminals likely took advantage of them at some point," Ragan says. "Akamai can only see the last hop of a given attack, so it is possible that while France was the exit, they originated somewhere else." 

India topped the list of targeted countries with 2.4 billion attacks targeting the accounts of users in that country, followed by 1.4 billion for US users, and 124 million for UK users.

"As long as usernames and passwords exist, criminals are going to target them, placing consumers, organizations, and their valuable information at risk," Akamai says. "Password sharing and recycling are the largest contributing factors in these accounts, which is why awareness programs explaining the risks related to shared and recycled passwords are so important."

Users can stymy credential stuffing by not reusing passwords and by turning on multi-factor authentication for important services. 

Related Content




Register now for this year's fully virtual Black Hat USA, scheduled to take place August 1–6, and get more information about the event on the Black Hat website. Click for details on conference information and to register.

Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Ninja
7/20/2020 | 1:35:51 PM
Credential stuffing is effective but one reason being is because shady content repositories that can provide the same content are being shutdown as they break the law.

If that continues to occur the credential stuffing will continue to be common practice because it provides the malicious actor with basically an account spoof shield.
Cyberattacks Are Tailored to Employees ... Why Isn't Security Training?
Tim Sadler, CEO and co-founder of Tessian,  6/17/2021
7 Powerful Cybersecurity Skills the Energy Sector Needs Most
Pam Baker, Contributing Writer,  6/22/2021
Microsoft Disrupts Large-Scale BEC Campaign Across Web Services
Kelly Sheridan, Staff Editor, Dark Reading,  6/15/2021
Register for Dark Reading Newsletters
White Papers
Current Issue
The State of Cybersecurity Incident Response
In this report learn how enterprises are building their incident response teams and processes, how they research potential compromises, how they respond to new breaches, and what tools and processes they use to remediate problems and improve their cyber defenses for the future.
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-06-24
Shopware is an open source eCommerce platform. In versions prior to the admin api has exposed some internal hidden fields when an association has been loaded with a to many reference. Users are recommend to update to version You can get the update to regularly via the Auto-U...
PUBLISHED: 2021-06-24
Shopware is an open source eCommerce platform. In versions prior to private files publicly accessible with Cloud Storage providers when the hashed URL is known. Users are recommend to first change their configuration to set the correct visibility according to the documentation. The visibilit...
PUBLISHED: 2021-06-24
Shopware is an open source eCommerce platform. Versions prior to 5.6.10 are vulnerable to system information leakage in error handling. Users are recommend to update to version 5.6.10. You can get the update to 5.6.10 regularly via the Auto-Updater or directly via the download overview.
PUBLISHED: 2021-06-24
Shopware is an open source eCommerce platform. Versions prior to 5.6.10 suffer from an authenticated stored XSS in administration vulnerability. Users are recommend to update to the version 5.6.10. You can get the update to 5.6.10 regularly via the Auto-Updater or directly via the download overview.
PUBLISHED: 2021-06-24
Shopware is an open source eCommerce platform. Potential session hijacking of store customers in versions below We recommend to update to the current version You can get the update to regularly via the Auto-Updater or directly via the download overview. For older versions o...