Credential stuffing attacks are a growing problem, particularly in the financial sector, where botnets can initiate so many fraudulent login attempts that the wave has the effect of a distributed denial-of-service (DDoS) attack.
The attack consists in trying to log into multiple online services using username and password combination compiled from data breaches. The success of the endeavor depends on the common practice of users having the same password for multiple accounts.
Cybercriminals automate these attacks and use botnets that distribute the login activity among compromised systems. The end goal is to log into a target site and assume the identity of the account owner, steal money or gather information.
Billions of malicious login attempts recorded
General statistics from one company that offers DDoS mitigation services are staggering: over 30 billion malicious login attempts recorded in less than one year, from November 2017 to June 2018.
In the last two months of the interval, bots generated about 8.3 billion attempts to sign in with stolen credentials.
The latest State of the Internet report from Akamai describes credential stuffing attacks targeting two companies in the financial sector, with one of them hit by three botnets at the same time.