Akamai's Stats Reveal Retail's Vulnerability

A single AIO bot can target more than 120 retailers at once.

Over time, Akamai has been one of the most reliable Internet companies around. Its content delivery network makes things work better, trying to eliminate network latency and bits that get lost inside the Interweb mazes.

When the folk at Akamai do research, they start with the presumption of validity attached to it. When they say in their latest “State of the Internet/Security” report that, "Between May 1 and December 31, 2018, there were 10,000,585,772 credential stuffing attempts in the retail industry detected on Akamai's network" it's believed. This would make retail the sector that is the most targeted in their study.

Across all consumer industries, their networks detected 27,985,920,324 credential abuse attempts over the same eight months. That works out to more than 115 million attempts to compromise or log in to user accounts every day.

Every day. Just on Akamai's networks.

The goal for the cybercriminal is obvious. Money. They want monetizable personal data or they want to attack the online retail sector.

The technique they use to attack retailers most frequently is "credential stuffing." It's carried out by botnets most, especially those of the All-in-One (AIO) kinds.

AIO bots are multi-function tools that are optimized for quick retail purchases by leveraging credential stuffing as well as a number of different kinds of evasion techniques. A single AIO bot can target more than 120 retailers at once. Akamai says that it isn't uncommon to see an AIO sold and designed with a specific retail outlet in mind.

Personal data may be obtained by any means (attacks or bought on the dark web) and the username and passwords (which are assumed by the attackers to be reused over different accounts) are "stuffed" into the site to gain entry.

An account takeover (ATO) happens after the attacker gains entry. An ATO gives the attacker more personal information about the victim which itself may be resold to other attackers and perpetuating the cycle. The purchased goods (which the victim pays for) can be resold for gain.

The offer of discount codes or limited-edition items by retailers to known customers -- called perks -- may be of value to the attackers as well.

Akamai notes that, "a successful AIO campaign may go completely undetected by a retailer, which might see the online sales and record-setting transactions as proof its product is in demand. They'll have little to no indication that its inventory clearing was automated and used to fuel a secondary-market or scrape information from its customers. […] The use of AIOs deny the retailer the chance for engagement and value-add sales, inhibiting growth and brand enhancement. They create artificial scarcity, skew sales metrics and stock tracking, and hurt the retailer's customers and investors by placing information and the retailer's reputation at risk."

This is wider than just one specific market. Outside of the apparel vertical, Akamai tracked credential stuffing attempts against direct commerce (1.427 billion); department stores (1.426 billion); office supply stores (1.3 billion); and fashion, such as jewelry and watches (129,725,233).

The US came out in first place in credential stuffing source traffic, followed by Russia, Canada, Brazil, and India. Many of the AIO bots used are developed in the US, so it isn't shocking to see it listed as the top source.

The sad truth is that as long as passwords are recycled, credential stuffing and ATOs will continue to be a steady criminal enterprise.

— Larry Loeb has written for many of the last century's major "dead tree" computer magazines, having been, among other things, a consulting editor for BYTE magazine and senior editor for the launch of WebWeek.