Coronavirus outbreak triggered a rush of online attacks against retail loyalty schemes, Akamai reckons

Hackers are breaking into online loyalty card accounts using stolen credentials or easily obtainable information, and then not only ransacking the profiles' balances but also harvesting victims' personal data for subsequent identity theft, Akamai has warned.

In its Loyalty for Sale – Retail and Hospitality Fraud report published today, Akamai reckoned that ne'er-do-wells began actively targeting retail, travel, and hospitality sectors with a wave of credential-stuffing attacks that accelerated as the COVID-19 pandemic forced most retail activity onto the web.

Credential stuffing is where a miscreant obtains usernames and passwords from one hacked website, and then plugs those details into another website and gains access to accounts sharing the same login details. It's why you should use a unique password for each site and service you use online: if one customer database is leaked, it shouldn't lead to the unlocking of all your other accounts.

“Criminals are not picky, anything that can be accessed can be used in some way,” said Steve Ragan, Akamai security researcher and author of the report. “This is why credential stuffing has become so popular over the past few years. These days, retail and loyalty profiles contain a smorgasbord of personal information, and in some cases financial information too. All of this data can be collected, sold, and traded or even compiled for extensive profiles that can later be used for crimes such as identity theft.”

This is why credential stuffing has become so popular over the past few years

Over a two year period – July 2018 to June 2020 – Akamai researchers said they recorded a total of 63 billion credential-stuffing attacks targeting retail, hospitality and travel, with 90 per cent of those aimed squarely at online retailers. They also claimed they observed more than 100 billion credential stuffing attacks in total during that period.

“All businesses need to adapt to external events, whether it’s a pandemic, a competitor, or an active and intelligent attacker,” Ragan warned, adding that in some cases, you don't even need to steal someone's password to log into an account – a brute-forced numeric passcode and some contact details is enough.

“Some of the top loyalty programmes targeted require nothing more than a mobile number and a numeric password," he said, "while others rely on easily obtained information as a means of authentication. There is an urgent need for better identity controls and countermeasures to prevent attacks against APIs and server resources.”

Those loyalty schemes usually contain everything an identity thief or spear-phisher needs to get started: names, addresses, past orders, phone numbers, and so on.

Worse, it isn’t just cred-stuffing that retailers need to defend against. SQL injection attacks and local file inclusion attacks also stacked up, with SQLi making up “just under 79 per cent” of the four billion web application-based attacks against retail, travel and hospitality Akamai recorded over the two-year sample period.

The full Loyalty for Sale – Retail and Hospitality Fraud report can be downloaded from Akamai's site here. ®