This Is Really Not A Happy Piece Of News – The Alert Level Needs To Be Raised!

is appeared last week:

Cybercriminals having ‘field day’: Credential stuffing attacks set to soar

January 28, 2024 — 6.00am

Cybersecurity professionals are bracing for a surge in attacks where hackers use stolen passwords to make fraudulent purchases online, saying recent data breaches mean more businesses will join The Iconic, Dan Murphy’s and Event Cinemas in suffering financial losses.

Industry insiders told this masthead that cybercriminals are having a field day with Australian usernames and passwords, which are being bought and sold on the dark web after being stolen in data breaches.

The warnings come amid calls for passwords to be abolished altogether, as technology firms start to roll out other forms of authentication, such as via fingerprint ID, facial ID or a PIN entered via a smartphone.

As first reported by this masthead, a fast-growing number of customers of the country’s biggest fashion, fast food and entertainment companies have been victims of a brazen hacking scheme known as “credential stuffing”, in which scammers access their online accounts and make fraudulent transactions.

The Iconic, Dan Murphy’s and other websites weren’t directly breached. Instead, cyber criminals used previously stolen passwords to log in and make purchases, with some victims losing thousands of dollars as a result. The attacks assume that people use the same passwords for a number of different websites, which is often correct.

Peter Maloney, chief executive of Australian cybersecurity provider AUCloud, has issued a warning on what he sees as an alarming trend.

“We are issuing a stern warning on the escalating trend of credential stuffing attacks amidst a surge of hacks and cyberattacks only days into 2024,” Maloney said.

“The alarming trend is straightforward, but poses a significant risk to individuals and organisations across the country. Australians need to take notice.

“Many people use the same username and password combinations across multiple online platforms... It only takes one of these to be breached for your details to be exposed.”

Maloney said hackers were having a field day given the sheer amount of Australian login information available for purchase. There are some 24.6 billion username and password combinations circulating on dark web marketplaces, according to recent research from software provider Digital Shadows.

‘We would never use the same key to access every building we enter: home, office, garage, safe. The same thinking should apply to online passwords.’

Garrett O’Hara, Mimecast senior director

“The dark web and various hacking communities provide a marketplace for stolen login credentials obtained from data breaches; from here, cyber criminals can easily purchase or acquire these stolen credentials, and gain access to other accounts using these details,” Maloney said.

“The compromise of a single set of credentials can have a cascading effect, jeopardising the security of numerous accounts and platforms linked to the affected user.”

Nigel Phair, professor of cybersecurity at Monash University, said the rise in credential stuffing attacks was due to the sheer scale of breaches targeting high-profile companies, affecting millions of Australians.

Tens of millions of Australians have been caught up in recent breaches including customers of Optus, HWL Ebsworth, Latitude Financial, Medibank, DP World and Dymocks, in what’s being dubbed a “new normal” of consistent attacks.

“This is a direct consequence of those cyberattacks. This is what happens with the data that is taken,” Phair said.

“Once personal data, logins and passwords have been taken in a data breach, that information could be available for cybercriminals to access easily, instantly, and forever.”

Garrett O’Hara, senior director at Mimecast, said attackers were looking for where they can easily make the most money.

With the huge number of breaches that have happened in recent years – combined with many people who still use the same password for many accounts – attackers now have both a massive availability of username and password combos and huge computer power to automate credential stuffing many sites, he said.

“Compared to the effort involved in novel or sophisticated breaches, credential stuffing is technically very simple, making it available to more attackers,” O’Hara said.

“It’s preventable – we don’t need to see these stories hit the news.

“We need a population that is better aware of the dangers of reusing passwords. For obvious reasons we would never use the same key to access every building we enter: home, office, garage, safe. The same thinking should apply to our online passwords.”

O’Hara said consumers should use a password manager, turn on multifactor authentication and check websites such as haveibeenpwned.com to see if they have been caught up in previous data breaches.

One person who claimed to have direct knowledge of The Iconic cyber incident said the people responsible did not execute the data breaches themselves, but instead had their own suppliers carry out the breaches who then on-sold the accounts.

The person, speaking anonymously to protect their identity, said the hackers used scripts to automatically input the purchased logins into websites. The scripts then categorise whether the login was successful, and what data is linked to the account, including credit card information, for example.

More here:

https://www.smh.com.au/technology/cybercriminals-having-field-day-credential-stuffing-attacks-set-to-soar-20240118-p5eyer.html

There sure is a lesson here and that to me is that where-ever you access any important web site – i.e. ones with any financial or identity risk – you must use a unique name / password combo.

It is a pain in the butt and I have no idea why the whole issue was not solved, and a solution adopted decades ago – but here we are and, frustratingly, we all have to do our bit!

Multiple factor id. is a pain but really it is the only way to go. I just wish there was a better way around all this!

David.