Most web traffic to online retail websites comes from automated programs attempting to breach user accounts – between 80 to 90 percent, according to Shape Security’s 2018 Credential Spill Report.

Axio’s Codebook newsletter outlines the process:

  • Lists of passwords from data breaches are sold on the underground market
  • A group of criminals creates a botnet (a networked group of hacked computers)
  • Yet another group configures the botnet to test passwords out on retail user’s accounts (like your Amazon login)

This is known as ‘credential stuffing,’ a subset of the brute-force attack category. By testing out already-breached username and passwords combos in an automated way, a criminal can quickly gain access to accounts that:

  • Are either re-using breached passwords, unknowingly, or never updated their old password
  • Are only protected by a single factor (a password), which makes it trivial for an attacker to breach remotely using this technique

It’s Raining Hacked Credentials

Where do these vast lists of credentials come from? According to Shape Security’s report, most of them originate from VBulletin, a popular software used to create online forums.

A patch was released in 2015 for SQL vulnerabilities, but many forum owners didn’t update, leaving their credentials open to attackers to leverage. VBulletin was also hacked in 2015, warning users that an attacker may have accessed customer IDs and encrypted passwords on their systems.

Another major source is misconfigured databases or servers that leave access to lists of credentials and more exposed to the Internet. Finally, malware and phishing campaigns directly targeting users is another source of stolen credentials.

Retail has the highest proportion of traffic that is fraudulent, ranking ahead of other industries such as airline, consumer banking and hotel.

Bot Traffic by Industry

One reason why password attacks against online retailers is lucrative, according to the report, is because retail websites often prioritize ease of the user experience over promoting security measures that could introduce friction, like two-factor authentication or email confirmations. These extra steps can introduce the potential for customers to abandon their cart, which means lost profits to online retailers.

Half of All Retail Credential-Stuffing Attempts Actually Work

The percentage of fraud success, that is, the proportion of fraudulent purchases that aren’t detected by internal fraud resources, was reported to be 50 percent.

This correlates with the average credential stuffing success rate – or how many attacks resulted in a successful login (credentials were found to be valid on a targeted site).

That means half of the attempts worked! Using just a password to protect your online retail accounts isn’t enough.

No one wants to find out the hard way that they have fallen for a phishing scam. There is no shortage of characters on the internet that are more than happy to separate you from your hard-earned money or even worse. They could potentially steal your house right from under you. No one ever thinks it will happen to them but, time and again it appears that empirical evidence points to the contrary. Over time, phishing attacks have evolved to the point where there are now full-fledged tool suites that are available for testers…and attackers alike.

Modlishka and SMS-Based 2FA

The latest iteration is the Modlishka phishing tool, which provides the attacker a simple tool to use a reverse proxy to place the attacker between the user and the target site. The user’s traffic passes through the tool and can capture SMS-based 2FA tokens. Assuming the attacker acts within the allotted time, they could possibly gain access to the victim’s accounts. But for this to work, the attacker would need to be watching at the right time and have valid TLS certificates configured. There are moving parts that need to be in place for this to be a successful attack.

This begs the question: how do we avoid getting phished in the first place?

The State of Phishing

First off, what is phishing? For the uninitiated, it is the practice of sending emails and text messages that are made to appear as if they are originating from a legitimate and reputable company. The idea behind the attacker’s motivation is to convince the recipient to click on a link that may lead to passwords being purloined, credit card numbers being stolen or even malicious code being installed on the victim’s system or device.

To illustrate the prevalence of phishing, let’s look at some data from our free Duo Insight tool. Based on 7,500 phishing simulation campaigns Duo has conducted in the past two years on more than 400,000 recipients, 39 percent of recipients opened the phishing email and 20 percent of recipients clicked the link, making them susceptible to having malware or ransomware installed on their device. Ten percent of recipients entered credentials. All told, 60 percent of phishing campaigns were successful in capturing at least one person’s login credentials.

Tips to Avoid Being Phished

So, how does one avoid this sort of attack? Straight away the first thing to keep in mind is to maintain a healthy paranoia. This is not to say you should wrap your head in tinfoil and be overly concerned about the van on the street that has been delivering flowers from “Flowers By Irene” for the last several days. No, that would be a bridge too far. What is more salient to the discussion is to have a filter in your brain that says “Hold on a tick. Do I really want / need to click that link?” It’s OK to pause for a moment and run that logic through your mind.

A second thing to keep in mind is to make sure that your system software is up to date. This can help the average Internet denizen avoid having to contend with a lot of the security issues that haunt people online. Case in point, I set my parents’ computer to auto update and the number of “help desk” calls have dropped precipitously. You can also make sure that your web browser is the latest and greatest to help reduce the risk of an attack.

When you’re using a website that you are conducting business with, check to see if they offer a two-factor authentication (2FA) option. Static passwords in their own right are hobgoblin that plagues us. Attackers understand human nature well enough that when they compromise a website they will take the pilfered credentials and test them against other websites. The rationale here is that people will reuse passwords on multiple sites.

A way to combat this behavior is to use a password manager. There are multiple options out there such as 1Password, Lastpass, Dashlane and so forth. All of these will go a long way to helping change user behavior. If we can help people to help themselves this would help improve the security posture for many online today.

Apply common sense wherever it is possible to do so. What are the odds that you have a long lost uncle in Nigeria who has found you and is yearning to give you millions? You laugh but it happens. Don’t give out your personal information unless absolutely necessary. If you’re unsure about a website you’re using, don’t hesitate to call said company and ask if this is in fact their website and validate that they need the personal information.

Defense in Depth

Modlishka is the latest tool that has allegedly been used to bypass certain forms of 2FA, and represents the continuing evolution of phishing threats organizations and users face. It serves to highlight the importance of not only implementing the strongest forms of 2FA, such as mobile push-based 2FA and U2F security keys, but to complement and enforce additional device requirements and security policies, which can ensure only corporate-owned and managed devices can access data and applications.