This article is more than 1 year old

Cybercrooks attempted credential-stuffing banks 3.5 BEEELLION times in the last 18 months alone

All going just as you'd expect, reckons Akamai

Content delivery network Akamai Technologies reckons that despite the time and effort spent convincing people not to fall for phishing and other frauds, the bigger threat might actually be credential-stuffing attacks.

In the latest edition of its State of the Internet Report (PDF), Akamai said it picked up around 3.5 billion cred-stuffing attempts over the past 18 months. Worryingly, half of those attacks targeted the financial services sector alone.

Credential stuffing is more or less a synonym for brute-forcing access into a passworded system, except using previously breached login credentials rather than a rainbow table or some other setup of commonly reused username/password combinations.

Virtually all (94 per cent) of the attacks on financial institutions used just four techniques: SQL injection; local file inclusion (where world+dog can upload, read and potentially execute files on a remote server); XSS; and OGNL Java injection, as infamously used in the Apache Struts vuln and which accounted for in excess of 8 million attempts counted by Akamai.

Akamai said its data shows that online criminals ran a cool 3.5 billion cred-stuffing attempts during an 18-month period. Separately, between December last year and this May, the company identified precisely 197,524 phishing domains – of which two-thirds directly targeted consumers.

Two miners (cosplay) carrying coal up "mine shaft" -

Hackers latch onto new Apache Struts megavuln to mine cryptocurrency


"We've seen a steady rise in credential-stuffing attacks over the past year, fed in part by a growth in phishing attacks against consumers," said Martin McKeay, editor of the State of the Internet Report's security edition. "Criminals supplement existing stolen credential data through phishing, and then one way they make money is by hijacking accounts or reselling the lists they create. We're seeing a whole economy developing to target financial services organisations and their consumers."

Not all of the nefarious activity Akamai saw was a sophisticated attempt to part banks from your money. 800 attacks were old-fashioned DDoS attempts against financial services companies.

"There is a deep level of irony in the fact that criminals are targeting the very industry they need to survive. While financial institutions are becoming better at detecting these attacks, adversaries continue to find success with old tricks, and that's a problem," concluded a philosophical McKeay. ®

More about

More about

More about


Send us news

Other stories you might like