Content delivery network firm Akamai Technologies’ State of the Internet / Security Credential Stuffing Attacks report show that it “detected approximately 3.2 billion malicious logins per month from January through April 2018, and over 8.3 billion malicious login attempts from bots in May and June 2018 — a monthly average increase of 30 percent. In total, from the beginning of November 2017 through the end of June 2018, Akamai researcher analysis shows more than 30 billion malicious login attempts during the eight-month period.”

In the middle of these threats is the continuously thriving e-commerce industry, which is expected to attract more customers as the holiday season gets closer.

The online retail platform is gaining momentum in Asia with an estimated revenue of over $800 million in 2018, according to Statista. Its expected annual growth of 11.5 percent is expected from this year to 2022 while the average revenue per user currently amounts to almost $500.

Data for sale

These figures draw hackers to constantly try to steal login credentials using botnets and when successful, either sell them on the dark web or use them for their own malicious purpose such as committing fraud.

Along with e-commerce sites, criminals also continue to target banks or financial institutions because there is a “lot of financial gains” that criminals were able to get from it, said Fernando Serto, head of Security Technology and Strategy Asia-Pacific at Akamai.

Online retailers that continue to become targets may incur losses of hundreds of thousands of dollars a day from bank fraud.

Serto explained how criminals have constantly “innovate” their methods of attacks.

“We started to notice that the same organizations were being targeted by different attackers,” he said. “There was another bank that was being targeted by three different botnets with very different characteristics. One of them, which was probably the most vicious one, is pacing itself instead of sending a lot of requests, which was quite normal until recently.”

The reason for this, Serto said, is because by pacing it will not launch the security alerts which are in place. These alerts are programmed to pick up suspicious and continuous log-in attempts.

“If you look into the span of six days which is the data that we analyzed,” Serto said, “they were coming from thousands of different IP addresses but the frequency of these logins is so low that a lot of the alerting systems the banks have won’t have picked it up because it’s minuscule.”

These malicious login attempts result from credential stuffing, according to Akamai report, “where hackers systematically use botnets to try stolen login information across the web. They target login pages for banks and retailers on the premise that many customers use the same login credentials for multiple services and accounts.”

Credential stuffing is basically an account takeover where criminals use the stolen data to commit fraud “on the victim’s behalf.”

Credential stuffing

Jonathan Tan, marketing manager of Akamai in Asean, explained that when someone gets hold of at least one of a consumer’s log-in credential, which was bought in the dark web, the criminal will try to use it across all of the victim’s accounts. The chances of a log-in credential used in an e-commerce site and in a banking site are quite high. He said that human psychology dictates consumers maintain “five or six sets of logins and passwords” and criminals will try each one to every account until they are able to get in.

Serto said they also noticed that many of the attacks are “coming from mobile apps.”

Many of the online retailers have launched their own shopping apps to give customers the best possible and convenient shopping experience.

“People (sellers) suddenly transition from having a website or portal on the internet where people access on their laptops to having mobile apps because of the high mobile device penetration,” he said. “The problem with that is it is a lot more difficult to protect mobile apps than it is with websites.”

Serto explained how it is more difficult to protect mobile apps than protecting websites.

“Websites have been around for a lot longer than mobile apps,” he said. “The challenge to the users is not really which way they are going to be safer because the data on the back end is the same” but enterprises need to ensure consumer data must be protected.

“APIs (Application programming interface) have a big problem today with mobility,” he said. “We’re helping customers to automate a lot of their security capabilities to be able to mitigate effectively attacks not only by inspecting every API request but also through our API gateway, which we launched earlier this year. We are not only looking into potentially threatening API calls but we’re also allowing customers to do authorization or authentication of APIs and we do a lot of caching as well to speed up a lot of mobile apps.”

Multi-factor authentication

End users can help protect their accounts by simply enabling multi-factor authentication (MFA) or a security measure that will verify an individual’s log-in attempts through several methods such as SMS or email verification.

Serto strongly advises users to use MFA. However, he warned people in using SMS for authentication.

“There are different types of multi-factor authentication,” he explained. “If you have the option to use SMS vs any other way, I would choose any other way because it is very easy to impersonate someone and clone a SIM card.”

He also said that using randomized token is also more preferred than using SMS for log-in verification.

On the enterprises’ part, Serto said Akamai built “an infrastructure in front of any applications that are exposed on the internet,” which include web applications firewall, bot management, and bot detection.

In the Akamai report, it explained how a company is able to reduce account takeovers of a customer to just one to three per month just by putting behavioral-based bot detections in front of every consumer login endpoint.

“We allow retailers to even choose how they want to respond to bots,” he said.

He explained how, for example, an airline who has an ongoing fare promotion can give a totally different pricing between a real human being and a botnet. This is to protect businesses not only from someone breaking in and steal information but also from the competitive perspective.

Using a botnet detection program can help companies prevent malicious log-in attempts that may lead to account takeovers once hackers were able to steal consumer data. The bots are programmed to respond to different hacking behaviors where actors also use bad bots.

The number of online shoppers is expected to increase in the coming months and the enormity of the number of transactions may seem overwhelming to online retailers. Companies and its security vendor partners are also expected to step up their security measures not only to protect consumer data but also to prevent business losses in the event of any data breach.

Image from Pixabay