Credential Stuffing in the Media Industry aka. "date-night offers"
As we discussed in an earlier blog post credential stuffing is one of the most prominently-used attack vectors. This is confirmed by Akamai’s latest State of the Internet report, which focuses on the media vertical:
Between January 1, 2018, and December 31, 2019, Akamai recorded more than 88 billion credential stuffing attacks across all industries. When we look specifically at the media sector, which includes streaming media, television networks, cable networks, broadcasting, and even digital publishing and advertising, that number is about 17 billion, or about 20% of all attacks.
Credential stuffing is a technique when stolen or otherwise compromised account credentials—typically in a database or list format—are used to gain unauthorized access to resources using highly-scalable automation processes. Threat actors can gain access to such lists or databases in a number of ways, such as hacking into websites directly or purchasing access on the dark web. The reality is that billions of accounts get breached every year. Some of these breaches eventually become public but the number of compromised accounts accessible on the dark web is even larger. This is a critical issue, and due to password reusing, credential stuffing is a successful method utilized by malicious actors.
If we examine the data in this Akamai report, we can see that account takeover and credential stuffing attacks against the media sector (and in general) are increasing each year. The trend indicates that we can still expect a significant increase in the number of malicious login attempts, and there is no sign of this stopping soon.
|TARGET AREA||MEDIA||ALL VERTICALS|
|France||12 010 942 083||12 235 691 613|
|India||682 804 616||958 303 704|
|United States||345 764 310||10 765 342 972|
|Italy||27 551 548||80 840 601|
|United Kingdom||18 071 667||272 181 435|
|Germany||14 982 744||460 800 209|
|Australia||14 867 093||78 312 783|
|Finland||2 154 271||2 462 277|
|Switzerland||584 838||2 130 302|
|Canada||349 018||659 927 969|
Top Target Areas of Q1 2020 — Malicious Logins Against Media —Akamai blog
So why this vertical?
For one, Akamai states that they have better visibility into this market, hence some of the increase in the detected attacks. Additionally, accounts in the media field prove to be highly valuable in dark markets. The COVID-19 pandemic didn’t help this trend either, as many people have stayed home for months.
However, Akamai takes this a step further:
Criminals realize the resale value of accounts in the media industry and that the personal data those accounts contain is useful, too. That data can be collected and resold as a sort of “value-add” proposition to the compromised media assets. For example, a compromised pizza account with reward points (enabling free food delivery) is combined with a compromised streaming media account in the same location and sold to people in those areas, often at a markup. These “date-night” offers are pre-packaged and leverage a number of data points, all of which come from examining the compromised source
This level of sophistication on criminal forums is quite frightening. All markers indicate that we can’t expect the volume of similar attacks to drop in the future. Overall, we can only expect the finesse of the dark markets and criminal forums to continue to elevate.
Scirge provides a unique approach to unveil and gain control over unmanaged third-party web accounts. Scirge tracks the websites employees use corporate email addresses to register on and log in to. Having a central dashboard of discovered accounts helps to reduce the risk of credential-related threats such as password reuse or account takeover (ATO). Scirge gives a level of control over SaaS usage to overcome Shadow IT. It also helps to ensure that your company complies with GDPR, CCPA, and other audit requirements.