Credential stuffing attacks against the media industry have grown substantially from an already large base during the COVID-19 pandemic, according to experts from Akamai speaking on a recent webinar.
This is borne out of a rise in people using online media during the lockdown, such as increased consumption of TV and streaming services for entertainment and news coverage regarding the pandemic. The growth in attempts to access media accounts is similar to spikes Akamai has observed in credential stuffing attacks during holiday periods over previous years, when such services are at their most popular. Martin McKeay, editorial director at Akamai, said: “This has become a more relevant discussion in 2020 than any year before it.”
In Q1 of 2020, Akamai figures showed that publishing was the sector most targeted by this type of attack due to a surge in popularity for news content about COVID-19.
Credential stuffing is essentially the use of a long list of usernames and passwords stolen from other sites to try and access accounts. This is often a successful tactic as many people use the same credentials across multiple online accounts.
Steve Ragan, security researcher at Akamai, outlined the scale at which this method was being used prior to the pandemic, with 88 billion credential stuffing attacks recorded between January 1 2018 and December 31 2019. Of these, 20% targeted the media industry, which in many ways is particularly vulnerable compared to other sectors.
“Unfortunately, password recycling and reuse in the media industry is very common,” Ragan explained. “A lot of users don’t see media accounts as something they need to protect and they often share these accounts with their friends and family.”
The ways in which cyber-criminals are doing this has also become more sophisticated, including merging of old and new lists of usernames and passwords against media services and the use of automation and bots to launch malicious login attempts at scale.
Ragan also noted that credential stuffing actors are increasingly acting as businesses, responding to market demands and even offering credentials for free to clients in order to build their reputation.
Defending against this type of attack is no easy task. Akamai highlighted that one way they’re helping protect their customers is to try and drive up the compute costs whenever a bot is running mass credentials against an account. “It’s trying to drag that cost up, disincentivizing that attack,” said Patrick Sullivan, senior director of global security strategy at Akamai.
Ultimately, however, the only effective way of preventing these types of attacks taking place is by encouraging better password habits amongst users of media services. Sullivan commented: “As long as we’re using simple usernames and password credentials for authentication we will have these types of attacks and adversaries will evolve and become more evasive in the way they go about validating credentials.”
Ragan added: “No matter what you may think about the risk proposition an account has when it comes to media and streaming services, the criminals don’t care. The criminals will target anything and everything that isn’t nailed down. There’s always value in something, particularly when they can take an account over.”