Watch out for Christmas 2021 credential stuffing attacks!

A research from Arkose Labs has revealed that there were over two billion credential stuffing attacks (2,831,028,247) during the last 12 months, growing exponentially during the period from October 2020 to September 2021. The spike in this type of online fraud has seen an enormous 98 per cent increase from the previous year and is expected to peak during the Christmas shopping months.

During the first half of 2021, credential stuffing accounted for 5% of all traffic online. Credential stuffing is the latest cyber-attack approach used by online fraudsters, used to gain unauthorized access to consumers’ financial and personal accounts.

Cybercriminals take over real user accounts, which they then monetize in a number of ways. These include: draining compromised accounts of funds, stealing and reselling personal data, selling lists of known verified username and password combinations and using the compromised accounts to launder money gained from other illegal enterprises. The attacks often take advantage of people reusing the same username/password combination across multiple sites.

Credential stuffing has been identified as a growing trend over the last few years by the anti-fraud community. However, the spike in online activity due to the pandemic and growth in online shopping has seen it surge in recent months.

Christmas 2021 expected to be worst attacked yet

According to the research analysts, last year credential stuffing rose 56% during the Christmas and New Year shopping period, with predictions that this same period in 2021 will see up to eight million attacks on consumers every day.

In the first half of 2021, the Arkose Labs network detected and stopped 285 million credential stuffing attacks, with spikes upwards of 80 million in a single week. One heavily attacked social media organization saw 1.5 million credential stuffing attacks in just one week.

Kevin Gosschalk, CEO at Arkose Labs commented: “The global ecommerce landscape is more connected than ever before and personal information has become the currency of fraudsters. Credential stuffing is prolific. It’s become an enormous concern to online businesses and is fast overtaking other well known attack tactics, such as ransomware, as THE cyber attack to watch out for.”

He continued: “Fraudsters are compelled to this type of cyber crime as the low barrier to entry makes it easy to deploy and online criminals can generate profits with just one successful compromised account. Their volumetric approach can come on abruptly, quickly overloading businesses’ servers and putting customers at risk.”

Other key data

The latest insights from the research team also cited:

• Gaming, Digital and Social Media and Financial Services as the top attacked industries by sector.
• Nearly 50% of attacks targeting the gaming industry were credential stuffing attacks.
• The UK was also identified as one of the top three regions that launched the most credential stuffing attacks on the rest of the world.
• Alongside Asia and North America which also showed enormous levels of fraudulent activity occurring from their regions.
• Mobile-based attacks made up nearly one-quarter of all attacks during 1H 2021.