Global Credential Stuffing Hit 193 Billion Attempts in 2020
There were 193 billion credential stuffing attempts during 2020 as cyber-criminals looked to capitalize on surging numbers of online users, according to Akamai.
The security vendor’s latest 2021 State of the Internet / Security report revealed the sheer scale of attempts to crack open users’ accounts using previously breached credentials.
Focusing mainly on the financial sector, the report claimed that Akamai detected 3.4 billion credential stuffing attempts targeting the vertical — a 45% increase on the previous year.
Akamai also detected nearly 6.3 billion web application attacks in 2020, over 736 million of which were aimed at financial services organizations — an increase of 62% from 2019.
In the financial services industry, Local File Inclusion (LFI) attacks were the number one web application attack type in 2020, accounting for 52% of the total, followed by SQLi (33%) and cross-site scripting (9%).
However, globally across all sectors, SQLi was in top spot — accounting for 68% of all web application attacks in 2020 — while LFI attacks came second with 22%.
“The ongoing, significant growth in credential stuffing attacks has a direct relationship to the state of phishing in the financial services industry,” said Steve Ragan, Akamai security researcher and report author.
“Criminals use a variety of methods to augment their credential collections, and phishing is one of the key tools in their arsenal. By targeting banking customers and employees in the sector, criminals increase their pool of potential victims exponentially.”
The report detailed the rise of smishing and phishing attacks against the financial services sector, specifically via two popular toolkits: Kr3pto and Ex-Robotos.
Akamai said threat intelligence company WMC Global detected smishing campaigns launched via Kr3pto which spoofed 11 brands in the UK, across more than 8000 domains since May 2020.
In total, the firm tracked over 4000 campaigns linked to Kr3pto targeting victims via SMS messaging over 31 days in Q1 2021.
“It’s important to remember that employees are consumers too, and with the prevalence of work from home, as well as mobile device usage in corporate environments, criminals are not shy about attacking people no matter where they are, which explains the recent growth in SMS-based phishing attacks,” argued WMC Global senior threat hunter, Jake Sloane.