Study: Stolen credentials pose growing threat to retailers

Press enter to search
Close search
Open Menu

Study: Stolen credentials pose growing threat to retailers

By Dan Berthiaume - 02/27/2019
Retailers are seeing more “credential stuffing” attacks that leverage customer names and passwords exposed in data breaches.

According to “Retail Attacks and API Traffic,” a study from network security provider Akamai, there were more than 10 billion credential stuffing attempts against retailers between May and December 2018. The most frequently targeted vertical was apparel, with 3.7 billion attempts. Credential stuffing attacks use bots to automatically attempt to log into secure sites with large volumes of hacked user names and passwords.

According to Akamai, successful credential stuffing attacks rely on users recycling passwords across multiple accounts. Akamai data also indicates that while 60% of all web traffic is represented by bots, less than half of them are identified as bots, making tracking and blocking difficult.

Akamai analysis indicates that within the retail industry, and particularly within the apparel vertical, the bots often associated with attempting credential stuffing and purchasing are All-In-One bots, or AIOs. These bots are multifunctional tools that enable quick purchases by leveraging various evasion techniques and can target more than 120 retailers online.

Hackers using AIOs then make fraudulent purchases of merchandises they quickly resell online. AIOs also allow criminals to collect targeted discount and offer codes they can resell or trade. Criminals may specifically use AIOs to obtain purchase order information from office supply retailers. Akamai advises that AIO attacks are difficult to identify when they are happening, and retailers may even see rapid sellouts of inventory as a positive result.

The U.S. is the largest source of credential stuffing source traffic, followed by Russia, Canada, Brazil, and India. According to Akamai, many of the AIO bots used are developed in the U.S. When it comes to targets, the U.S. is also at the top of the list with 22.47 billion credential stuffing attacks tracked, followed by China (2.01 billion), India (1.16 billion), Germany (792 million), and Canada (400 million).