Akamai CTO: Credential Stuffing Attacks Continue to Challenge Media Companies

Credential stuffing attacks targeting media companies continue to present a major challenge, according to Patrick Sullivan, CTO-security strategy at Akamai.

There is ongoing growth overall of “fraud in the form of account takeovers, targeting the video media segment, in particular,” he said May 12, speaking during the presentation “Data Doesn’t Lie – Media Industry Full of Credential Stuffing Attacks at the Cybersecurity & Content Protection Summit (CCPS), held digitally as part of the NAB Show Express experience.

There was good news in the first half of 2020 despite the COVID-19 pandemic, Sullivan said, pointing out over-the-top (OTT) consumption has surged as people have remained in their homes during the pandemic.

There has been a “massive surge in traffic,” he said, echoing comments made by Akamai CEO and co-founder Tom Leighton last month during the company’s online Edge Live Virtual Summit 2020. Peak traffic on Akamai’s Edge platform doubled in March from a year earlier, soaring to 167 Tbps from 82 Tbps, according to the company. That increase would have likely been even higher if there were live sports available during the period, Sullivan said.

There is a “multitude of credentials that have been breached from other sites and are available for attackers to get their hands on,” Sullivan told viewers, noting the “inventory there is measured in the billions.” And “attackers leverage the fact that a couple of percentage points of those will be valid on a given site as users reuse the same set of credentials,” he said.

That results in “massive bot armies that are constructed and used all day to essentially conduct very high volume checking of those credential stores against OTT sites, as well as other sites,” he noted. At that point, he explained: “There’s quite a bit of segmentation and specialization of duties, so that, once those credentials have been validated, often those are sold then to somebody who will conduct human fraud later on to sell those valid accounts to people who are willing to maybe set their morals aside for a bit and purchase a bucket of access to streaming sites for somewhat of a discount.”

Sullivan again cited 2018 data about credential stuffing attacks, noting video media had surpassed financial services as a target. In 2019, there was “more than a 50% jump targeting the media industry,” he said. Video media attacks grew 63% from 2018, according to Akamai.

“These are all profit-motivated attacks, and the reason that media is so attractive is just the ease of monetization,” Sullivan said, noting “you can go sell these validated credentials as part of a bundle, alongside valid credentials to other sites.”

Although U.S. companies are frequent targets, there are also a growing number of firms being targeted in other countries, he told viewers. “This is kind of a parasite that is competing with valid subscription models and continuing to generate huge volumes of traffic,” he said.

The “source of the attack tends to move around quite a bit,” he pointed out, noting “there is ample supply of compute” power as well as “ample inventory of proxy devices,” he said. That means an “attacker can choose whatever geography they would like to be” located at and can attempt to move closer to an end user, he noted, adding the U.S. is by far the top source of these attacks.

There were 1.1 billion attacks from a U.S. source in 2019, up 162% from 2018, according to Akamai. However, the largest growth was in France, where attacks soared 407% to 393.1 million in 2019. The only country among the top 10 that saw a decline was India, which declined 37% to 151 million.

However, there was a “big jump” in India when it comes to the top targeted countries, Sullivan said, pointing to data showing India was the most targeted country in 2019, with attacks increasing 114% to 2.4 billion, ahead of No. 2 U.S., where attacks grew  a more modest 22% to 1.4 billion. The biggest growth, however, was in the U.K., with attacks soaring a whopping 49,185% to 124.3 million. The only countries that declined were Australia (down 10% at 29.9 million attacks) and China (down 95% at 1.2 million).

There is, meanwhile, a significant amount of phishing for customer credentials taking place, with the media segment being the most popular target now, “more so than e-commerce and financial services combined,” Sullivan warned.

He went on to offer a prediction: “To a certain extent, we will have the challenge with credential stuffing as long as we have passwords.”

Akamai is, therefore, seeing organizations “trying to look beyond the password for authentication,” he said, adding: “Short of that, I think, in the near term, really it’s critical to manage the bots coming to [a] website.”

The Zero Trust Architecture by the National Institute of Standards and Technology (NIST) provides a “more secure way of granting access to employees, contractors [and] third parties to data as it’s going through that pre-production phase,” he concluded.

Presented by Richey May Technology Solutions, with sponsorship by Akamai, Cyberhaven, Microsoft Azure, SHIFT, Convergent Risks, and the Trusted Partner Network (TPN), the Cybersecurity & Content Protection Summit focused on the latest cybersecurity and content protection challenges studios, broadcasters and vendors alike are facing during the ongoing pandemic.

Produced under the direction of the Content Delivery & Security Association (CDSA) Board of Directors and content advisors representing Amazon Studios, Adobe, Paramount, BBC Studios, NBCUniversal, Lionsgate, WarnerMedia, Amblin Entertainment, Legendary Pictures, and Lego Group, this year’s Cybersecurity & Content Protection Summit looked ahead at the challenges facing the security community in 2020 and beyond.