Of the 88bn credential stuffing attacks up to Dec 2019, 20% were lobbied at paywalled video- or published-content websites.

Video service providers, broadcast and publishing platforms—collectively called the media industry—suffered 17 billion credential stuffing attacks between Jan 2018 and Dec 2019. This was 20% of the total of 88 billion attacks observed during that period.

Credential stuffing is the use of stolen username-password combinations to attempt logins for other web portals, in the hope that the victims use the same credentials. The marked uptick in attacks aimed at broadcast TV and video sites appear to have coincided with an explosion of on-demand media content in 2019, especially with heavily-promoted launches of two major video services, Disney Plus and Apple TV+.

Much of the value in targeting such media sites lies in the potential access to both compromised assets (i.e., premium content), along with personal data, said Steve Ragan, security researcher at Akamai and author of the report unveiled this trend. “We’ve observed a trend in which criminals are combining credentials from a media account with access to stolen rewards points from local restaurants and marketing the nefarious offering as ‘date night’ packages,” Ragan explained in the report. “Once the criminals get a hold of the geographic location information in the compromised accounts, they can match them up to be sold as dinner and a movie.”

Increases across the board

Media companies presented an attractive target for criminals last year, with a 63% year-over-year increase in attacks against the video media sector. The report also shows a 630% and a 208% year-over-year increase in attacks against broadcast TV and video sites, respectively. At the same time, attacks targeting video services were up 98%, while those against video platforms dropped by 5%.

Sites offering published content also experienced a 7,000% surge in attacks. Newspapers, books and magazines sit squarely within the sights of cybercriminals, indicating that media of all types appear to be fair game.

The United States was by far the top source of credential stuffing attacks against media companies with 1.1 billion in 2019, an increase of 162% over 2018. France and Russia were a distant second and third with 393 million and 243 million attacks, respectively.

India was the most targeted country in 2019, enduring 2.4 billion credential stuffing attacks. It was followed by the US at 1.4 billion and the UK at 124 million.

Ragan explained: “As long as we have usernames and passwords, we’re going to have criminals trying to compromise them and exploit valuable information. Password sharing and recycling are easily the two largest contributing factors in credential stuffing attacks. While educating consumers on good credential hygiene is critical to combating these attacks, it’s up to businesses to deploy stronger authentication methods and identify the right mix of technology, policies and expertise that can help protect customers without adversely impacting the user experience.”

What about Q1 2020?

Some of the top targets of credential stuffing attacks had a reshuffle in Q1 2020, possibly linked to the different effects of pandemic lockdowns.

In Q1 2020, there was a large spike in malicious login attempts against European video service providers and broadcasters. One attack in late March, after many isolation protocols had been instituted, directed nearly 350,000,000 attempts against a single service provider over a 24-hour period.

Separately, one broadcaster was hit with a barrage of attacks over the course of the quarter with peaks that ranged in the billions. Another noteworthy trend during Q1 was the number of criminals sharing free access to newspaper accounts. Often offered as self-promotional vehicles, credential stuffing campaigns must still be initiated in order to steal the working username and password combinations that are given away.

Akamai researchers also observed a decline in the cost of stolen account credentials over the course of the quarter, which traded for approximately US$1 to $5 at the start and $10 to $45 for package offers of multiple services. Those prices fell as new accounts and lists of recycled credentials populated the market.