Credential stuffing remains a major problem for retail sites
Thanks to the huge volume of stolen credentials now available online, credential stuffing has become a major issue for the retail industry.
A new report from edge platform specialist Akamai shows that hackers directed credential abuse attempts at retail sites more than 10 billion times from May to December last year.
Hackers target login pages for banks and retailers on the premise that many customers use the same login credentials for multiple services and accounts. Interest in retail is driven by the value of merchandise, which hackers can acquire through compromised accounts and then resell.
The report reveals that hackers are employing all-in-one bots, multi-function tools that enable quick purchases by leveraging credential stuffing and a number of evasion techniques. A single AIO bot is able to target more than 120 retailers at once.
"The techniques change, but the motivation remains the same: greed," says Martin McKeay, senior security advocate at Akamai and lead author of the report. "Retailers remain on the front lines, because stolen merchandise sells quickly and at a premium. And for that reason, the data shows which merchandise is of the highest value: apparel sites are targeted the most."
The report also highlights two other pressing security concerns, the preponderance of API-call traffic on the web and the apparent misrepresentation of IPv6-based traffic.
API calls represent 83 percent of web traffic, according to an October 2018 Akamai traffic review detailed in the report. The majority of API traffic is for custom applications, which is the result of digital transformations and cloud-based application deployment. For security teams, growth in API volume is important when considering risk, because some security tools are not equipped to manage API traffic.
IPv6 traffic might be under reported, since many systems capable of IPv6 usage still prefer IPv4. This could indicate device misconfiguration or improper monitoring and network blind spots, which is a security concern. Since IPv6 is still believed to be a minority of web traffic, it is not a major selling point for a number of security tools.
You can read more in the full report available from the Akamai site.