Brokers and businessowners are being warned about the rise of credential stuffing – an illicit online activity which could be the next big cyber threat to hit Australia.
First coined in 2011, credential stuffing is the term used when hackers take a username and password, then run it through different sites to see if they can access information anywhere else.
Lindsey Nelson, international cyber practice leader at CFC Underwriting, says the original compromised information may have come from a seemingly worthless source – but if the same data is used on other sites, it can expose users to serious loss.
“If I can get your details from one site and use them on another like your Uber account, PayPal or an airline, I can start using your accounts for financial gain,” says Nelson. “While the value of a username or password is limited, it’s how it can be monetised that makes it valuable.”
The tactic has exploded in recent years with global security and cloud service specialist Akamai recording nearly 30 billion credential stuffing attacks in 2018.
Each of these attacks represents a single attempt to log in to an account with a stolen or generated username and password – the vast majority were performed by botnets or all-in-one applications.
Worryingly, it seems Australia is among the most at-risk geographies. According to the same Akamai report, Australia is the fifth most-targeted nation for credential stuffing with over 100 million attacks occurring in 2018 alone.
This figure is despite the fact that Australia didn’t even enter the top 10 ranking of countries that are committing credential stuffing attacks.
While credential stuffing can hit any industry, media organisations, gaming companies, and the entertainment sector are among those most at risk of targeted attacks
“The people behind these attacks realise the value of an account, whether it’s to a streaming site, a game, or someone’s social media account – and they’re willing to do whatever it takes to steal them,” reads the Akamai report.
However, the report also warns that industries of any type can take a hit – particularly when it comes to reputational damage – and pointed to the case of a well-known online tax service which issued breach notifications to some customers in February 2019.
“The notification letter clearly explained how the attack itself was credential stuffing, as all of the accounts at risk were using passwords exposed by data breaches elsewhere,” explains the report.
“The tax service reset passwords to prevent further access and warned customers. While the incident clearly wasn’t the tax service provider’s fault, customers felt otherwise, and the public reaction to the news was less than positive.”
Nelson agrees that the potential impacts are wide-ranging with the propensity for cyber claims more than doubling in the last couple of years.
“While there is undoubtedly greater awareness among businesses, we’re seeing more incidents and they are easier to commit than ever before,” she said. “I cannot stress the importance of unique passwords, password managers and multi-factor authentication for online businesses to protect themselves, their customers and ultimately their reputation.”