Credential stuffing hasn’t lost its appeal as a favored form of attack for criminals looking to commit account fraud, says a report from San Francisco-based fraud-prevention technology provider Arkose Labs detailing fraud trends during the first half of 2021.
Credential stuffing accounted for 285 million attacks during the first half of 2021 across Arkose’s network. In some cases, the volume of attacks spiked to upwards of 80 million in a single week, the report says. Overall, credential stuffing made up 29% of all attacks.
Credential stuffing is a type of cyberattack that bombards a Web application with stolen username and password combinations to fraudulently gain access to, and take over, an account via login requests. Once in control of an account, criminals can monetize their attack in several ways, including draining the account of funds, stealing and reselling personal data, selling lists of known verified username and password combinations, or using the compromised accounts to launder money. Part of what makes credential stuffing so popular with criminals is that the attacks can be launched on a large scale at a relatively low cost.
One troubling trend to emerge from these attacks during the first half of 2021 is that they account for 5% of all digital traffic. “That means 1 in every 20 account logins could be an attack mimicking a real user,” says the report.
On average, credential stuffing attacks cost affected businesses $6 million per business per year, and nearly half of businesses victimized by the attacks spend up to five hours remediating each incident of a compromised user account, according to the report.
Online-gaming sites were under siege from criminals during the first half of 2021, incurring 35% of the fraud attacks. Of those attacks, 75% targeted login and registration points.
“During the pandemic, the number of people playing video games, time spent in game, and in-game purchases increased exponentially,” the report says. “As a result, we’ve seen a larger share of attacks within games targeting in-game economies and valuable gamer assets than ever before.”
Asia remains the leading region of origin, accounting for about one-third of all attacks during the first half of the year. The United States, Vietnam, and Russia continue to rank among the top five countries of origin, while China and India surfaced as key countries to watch. Newer players also emerged out of Venezuela and Ukraine.
Asia also had the highest percentage of so-called human fraud-farm attacks, with 60% of all such attacks originating from Vietnam and China. “This illustrates this region’s importance to fraudsters in finding human labor to deploy to supplement automated attacks, or to carry out tasks that require more nuance than bots can currently manage, such as sending phishing messages on online dating scams,” the report says.