Coronavirus outbreak triggered a rush of online attacks against retail loyalty schemes, Akamai reckons

Digital souks are sitting ducks for identity fraudsters


Hackers are breaking into online loyalty card accounts using stolen credentials or easily obtainable information, and then not only ransacking the profiles' balances but also harvesting victims' personal data for subsequent identity theft, Akamai has warned.

In its Loyalty for Sale – Retail and Hospitality Fraud report published today, Akamai reckoned that ne'er-do-wells began actively targeting retail, travel, and hospitality sectors with a wave of credential-stuffing attacks that accelerated as the COVID-19 pandemic forced most retail activity onto the web.

Credential stuffing is where a miscreant obtains usernames and passwords from one hacked website, and then plugs those details into another website and gains access to accounts sharing the same login details. It's why you should use a unique password for each site and service you use online: if one customer database is leaked, it shouldn't lead to the unlocking of all your other accounts.

“Criminals are not picky, anything that can be accessed can be used in some way,” said Steve Ragan, Akamai security researcher and author of the report. “This is why credential stuffing has become so popular over the past few years. These days, retail and loyalty profiles contain a smorgasbord of personal information, and in some cases financial information too. All of this data can be collected, sold, and traded or even compiled for extensive profiles that can later be used for crimes such as identity theft.”

This is why credential stuffing has become so popular over the past few years

Over a two year period – July 2018 to June 2020 – Akamai researchers said they recorded a total of 63 billion credential-stuffing attacks targeting retail, hospitality and travel, with 90 per cent of those aimed squarely at online retailers. They also claimed they observed more than 100 billion credential stuffing attacks in total during that period.

“All businesses need to adapt to external events, whether it’s a pandemic, a competitor, or an active and intelligent attacker,” Ragan warned, adding that in some cases, you don't even need to steal someone's password to log into an account – a brute-forced numeric passcode and some contact details is enough.

“Some of the top loyalty programmes targeted require nothing more than a mobile number and a numeric password," he said, "while others rely on easily obtained information as a means of authentication. There is an urgent need for better identity controls and countermeasures to prevent attacks against APIs and server resources.”

Those loyalty schemes usually contain everything an identity thief or spear-phisher needs to get started: names, addresses, past orders, phone numbers, and so on.

Worse, it isn’t just cred-stuffing that retailers need to defend against. SQL injection attacks and local file inclusion attacks also stacked up, with SQLi making up “just under 79 per cent” of the four billion web application-based attacks against retail, travel and hospitality Akamai recorded over the two-year sample period.

The full Loyalty for Sale – Retail and Hospitality Fraud report can be downloaded from Akamai's site here. ®


Keep Reading

There are DDoS attacks, then there's this 809 million packet-per-second tsunami Akamai says it just caught

Bank on the receiving end of massive 418Gbps traffic barrage

Stuffing nonsense: Persistent cyberpunks are pummelling banks' public APIs, warns Akamai

Security biz clocked 55 million malicious login attempts on a client

Watch your MANRS: Akamai, Amazon, Netflix, Microsoft, Google, and pals join internet routing security effort

Filtering, anti-spoofing, coordination, validation to prevent crooks, spies hijacking victims' connections

DIY with Akamai: What to do when no one sells the servers you need? You build your own

Akamai Edge World If it looks like a hyperscaler, swims like a hyperscaler...

Akamai CEO: Playing games from the cloud? Seems too expensive to be viable right now

Akamai Edge World 'It is something we are interested in … but the economic model hasn’t worked out yet'

Akamai on dragging 'em kicking and streaming to the edge: They might be public cloud giants, but we're, er, vids in

Akamai Edge World CEO Tom Leighton pitches CDNs for enterprise

Dear hackers: If you try to pwn a website for phishing, make sure it's not the personal domain of a senior Akamai security researcher

Exclusive Crooks fail to hijack infosec bloke's site to dress it up as a legit Euro bank login page

Crime doesn't pay? Crime doesn't do secure coding, either: Akamai bug-hunters find hijack hole in bank phishing kit

Exclusive Absolutely criminal behavior – unrestricted file upload, really?

Biting the hand that feeds IT © 1998–2020