New data out from Akamai finds a growing number of attacks on brands’ loyalty programs. Since 2018, in fact, their data shows more than 63 billion credential stuffing attacks in the hospitality, retail, and travel industries, and they are no longer only relying on the most recent password combination lists.
According to Akamai, since the pandemic began and people took more of their lives online, from how they shopped to work routines, cybercriminals have begun recirculating old password combination lists; this is in addition to newer lists from the dark web. These new efforts to defraud should serve as a reminder not only to consumers but to businesses to encourage people to update and upgrade passwords and other sensitive credentials.
“Criminals are not picky – anything that can be accessed can be used in some way,” said Steve Ragan, Security Researcher and Author of State of the Internet/Security Report, Akamai. “This is why credential stuffing has become so popular over the past few years. These days, retail and loyalty profiles contain a smorgasbord of personal information, and in some cases financial information, too. All of this data can be collected, sold, and traded or even compiled for extensive profiles that can later be used for crimes such as identity theft.”
Other interesting findings from the Akamai report include:
• From July 2018 to June 2020 Akamai saw more than 100 billion credential stuffing attacks
• 90% of attacks from the commerce category targeted retail
• 41% of attacks SQL Injection and Local File Inclusion
• 83% of attacks using SQL Injection/Local File Inclusion targeted retail
“All businesses need to adapt to external events, whether it’s a pandemic, a competitor, or an active and intelligent attacker,” said Ragan. “Some of the top loyalty programs targeted require nothing more than a mobile number and numeric password. . .there is an urgent need for better identity controls and countermeasures to prevent attacks against APIs and server resources.”
This article originally appeared in BizReport.