Online shoppers in the UK will be hit by up to eight million credential stuffing attacks per day in the Christmas period, according to a new analysis by Arkose Labs.
The worrying prediction was made following a massive spike in this attack vector, largely due to the shift to online shopping during COVID-19. Arkose researchers observed more than two billion credential stuffing from October 2020 to September 2021, representing a 98% increase on the previous year. Astonishingly, they found this activity made up 5% of all online traffic in the first half of 2021.
According to the analysts, credential stuffing rose by 56% during last year's Christmas and New Year shopping period. This enabled them to calculate that consumers will face up to eight million attacks every day in the same period this year.
Credential stuffing is where fraudsters attempt to gain unauthorized access to consumers’ financial and personal accounts by automating known stolen username and password combinations across multiple sites. Once inside, the attackers can monetize the account in numerous ways. These include draining compromised accounts of funds, stealing and reselling personal data, selling lists of known verified username and password combinations and using the compromised accounts to launder money gained from other illegal enterprises. The success of this tactic has been exacerbated by common password reuse among online users.
The study found that sectors most often targeted by credential stuffing attacks were gaming, digital and social media and financial services. In fact, nearly 50% of all attacks targeting the gaming industry were credential stuffing.
Interestingly, the UK was identified as one of the top three regions to launch the most credential stuffing attacks on the rest of the world, alongside Asia and North America.
Kevin Gosschalk, CEO at Arkose Labs, commented: “The global e-commerce landscape is more connected than ever before, and personal information has become the currency of fraudsters. Credential stuffing is prolific. It’s become an enormous concern to online businesses and is fast overtaking other well-known attack tactics, such as ransomware, as THE cyber-attack to watch out for.
“Fraudsters are compelled to this type of cybercrime as the low barrier to entry makes it easy to deploy, and online criminals can generate profits with just one successful compromised account. Their volumetric approach can come on abruptly, quickly overloading businesses’ servers and putting customers at risk.”