Security News > 2020 > October > Coronavirus outbreak triggered a rush of online attacks against retail loyalty schemes, Akamai reckons

Hackers are breaking into online loyalty card accounts using stolen credentials or easily obtainable information, and then not only ransacking the profiles' balances but also harvesting victims' personal data for subsequent identity theft, Akamai has warned.

In its Loyalty for Sale - Retail and Hospitality Fraud report published today, Akamai reckoned that ne'er-do-wells began actively targeting retail, travel, and hospitality sectors with a wave of credential-stuffing attacks that accelerated as the COVID-19 pandemic forced most retail activity onto the web.

Over a two year period - July 2018 to June 2020 - Akamai researchers said they recorded a total of 63 billion credential-stuffing attacks targeting retail, hospitality and travel, with 90 per cent of those aimed squarely at online retailers.

"Some of the top loyalty programmes targeted require nothing more than a mobile number and a numeric password," he said, "While others rely on easily obtained information as a means of authentication. There is an urgent need for better identity controls and countermeasures to prevent attacks against APIs and server resources."

SQL injection attacks and local file inclusion attacks also stacked up, with SQLi making up "Just under 79 per cent" of the four billion web application-based attacks against retail, travel and hospitality Akamai recorded over the two-year sample period.

News URL

https://go.theregister.com/feed/www.theregister.com/2020/10/21/akamai_retail_security_report/