A new research from security solutions provider Akamai revealed that cybercriminals launched credential stuffing campaign to target loyalty programs. Attackers took advantage of the pandemic and circulated password combination lists, targeting the retail, travel, and hospitality sectors with various cyberattacks.
In its report, “The State of the Internet / Security report: Loyalty for Sale – Retail and Hospitality Fraud” Akamai revealed several examples of criminal ads from the darknet websites illustrating how they cash in on the results from successful attacks and the corresponding data theft. Threat actors created fake loyalty programs and other crime-related ventures to obtain sensitive information from users.
Akamai found more than 100 billion credential stuffing attacks between July 2018 and June 2020. Over 4,375,711,860 web attacks were observed against retail, travel, and hospitality, accounting for 41% of the overall attack volume across all industries. Nearly, 83% of web attacks targeted the retail sector alone.
“Criminals are not picky — anything that can be accessed can be used in some way. This is why credential stuffing has become so popular over the past few years. These days, retail and loyalty profiles contain a smorgasbord of personal information, and in some cases financial information too. All of this data can be collected, sold, and traded or even compiled for extensive profiles that can later be used for crimes such as identity theft,” said Steve Ragan, Akamai security researcher and author of the report.
“All businesses need to adapt to external events, whether it’s a pandemic, a competitor, or an active and intelligent attacker. Some of the top loyalty programs targeted require nothing more than a mobile number and a numeric password, while others rely on easily obtained information as a means of authentication. There is an urgent need for better identity controls and countermeasures to prevent attacks against APIs and server resources,” Ragan added.