Most web traffic to online retail websites comes from automated programs attempting to breach user accounts - between 80 to 90 percent, according to Shape Security’s 2018 Credential Spill Report.
Axio's Codebook newsletter outlines the process:
- Lists of passwords from data breaches are sold on the underground market
- A group of criminals creates a botnet (a networked group of hacked computers)
- Yet another group configures the botnet to test passwords out on retail user's accounts (like your Amazon login)
This is known as 'credential stuffing,' a subset of the brute-force attack category. By testing out already-breached username and passwords combos in an automated way, a criminal can quickly gain access to accounts that:
- Are either re-using breached passwords, unknowingly, or never updated their old password
- Are only protected by a single factor (a password), which makes it trivial for an attacker to breach remotely using this technique
It’s Raining Hacked Credentials
Where do these vast lists of credentials come from? According to Shape Security's report, most of them originate from VBulletin, a popular software used to create online forums.
A patch was released in 2015 for SQL vulnerabilities, but many forum owners didn't update, leaving their credentials open to attackers to leverage. VBulletin was also hacked in 2015, warning users that an attacker may have accessed customer IDs and encrypted passwords on their systems.
Another major source is misconfigured databases or servers that leave access to lists of credentials and more exposed to the Internet. Finally, malware and phishing campaigns directly targeting users is another source of stolen credentials.
Retail has the highest proportion of traffic that is fraudulent, ranking ahead of other industries such as airline, consumer banking and hotel.
One reason why password attacks against online retailers is lucrative, according to the report, is because retail websites often prioritize ease of the user experience over promoting security measures that could introduce friction, like two-factor authentication or email confirmations. These extra steps can introduce the potential for customers to abandon their cart, which means lost profits to online retailers.
Half of All Retail Credential-Stuffing Attempts Actually Work
The percentage of fraud success, that is, the proportion of fraudulent purchases that aren't detected by internal fraud resources, was reported to be 50 percent.
This correlates with the average credential stuffing success rate - or how many attacks resulted in a successful login (credentials were found to be valid on a targeted site).
That means half of the attempts worked! Using just a password to protect your online retail accounts isn’t enough. See How to Add Two-Factor Authentication to Your Amazon Account With Duo Mobile to learn how to set up a second channel of authentication to protect against credential stuffing attacks.