Akamai Technologies, Inc. (AKAM) Earnings Call Transcript & Summary

Well, okay. Actually, it's actually 2 after so let's go ahead and get started. You are here to hear the Loyalty for Sale: Retail and Hospitality Fraud edition of the Akamai State of the Internet Security Report. Thank you all for joining. This will be recorded and the slides are available on the akamai.com site, so if you have any questions, please put them in the Q&A. If you would like to use some of these slides in your own presentations, please feel free. We would love to see people using these -- the slides from this report. I am Martin McKeay. I am the Editorial Director for Akamai's State Of The Internet security team. We are responsible for the SOTI. We're responsible for other types of publications that come out of Akamai. And Steve Ragan, who is the main writer and researcher for the report works on my team, unluckily couldn't join us today because of a little thing called vacation. Instead, I'm joined by Patrick Sullivan, who many of you may have heard before. Patrick is our CTO in charge of Global Security Strategy. How are you doing, Patrick?

Good morning, Martin. I'm doing really well. Thanks for having me. Looking forward to the session today.

And then I'm also joined by Tony Lauro, who is Director of Security Technology & Strategy. And Tony, what does it you really do? Because I don't think you're strategic, are you?

I'm very strategic, thanks for asking. Yes, it's kind of hard sometimes to figure out what I do but I'm trying to basically help our customers figure out how to use our technology and see if it fits as well as look at where they're going in the future to make sure that we're building new technology to match those needs. So again, just like Patrick said, thanks for having me here and I'm looking forward to the talk.

You're going to be doing part of the talk so it's not like you could just sit back and listen. And by the way, I fully understand. I've been in security for 20 years but somehow, I became somebody whose main job is actually going back and correcting spelling errors and putting commas and stuff in. I don't know where that came from. I wanted to start the conversation by just kind of letting people know what we're going to be talking about. We've been talking about credential abuse in different areas for quite some time. It's a really important thing we want. I mean, among other things, these 2-factor authentication. But in this case, we were kind of talking about 2 sides of the same query. We, as users, have a lot of loyalty programs that we subscribe to. I could probably list 15 off the top of my head where I have an account at different shops, at different grocery stores, at different airlines. I'm sure that Tony and Patrick, who travel as much, if not more than I used to, have the same types of things. And so we, as consumers, are bouncing around between different types of accounts and have a lot of information in those. But the main thrust of our actual research this time was looking at those accounts because if you've had an account compromised any site, there's a really good chance that at some point, that has been added to one of the lists that are out there. It's been tried against all of the different loyalty accounts. And so what we're seeing is large amounts of people who have not necessarily compromised a retailer or compromised a hotel but have some other list of password that have been compromised in the past and they're trying them against your site. They're trying them against the other loyalty programs. And they compile these lists and resell them. So that's kind of what we meant when we were talking about loyalty for sale. Patrick, do you have something to say on that?

No, I think you nailed it, Martin. I mean, we've been kind of in hand-to-hand combat with bot operators conducting credential stuffing attacks for years. I won't reveal any of the stats until you get to them, but obviously, this sector sees an outsized share of those type of attacks. And I remember back in the early days of fighting credential stuff when we first tried a WAP-based approach, and I just think I remember the first time I bumped into this was a retailer that had their own loyalty program and they were experiencing fraud there. So that's sort of where I began my journey in helping fight this type of fraud. So I think this segment is a really interesting one in the battle against credential stuffing.

And that actually brings up a good point. Tony, where did you come to this from? I mean, you've had a lot of experience on this type of attack as well.

Yes. I love that Loyalty for Sale. The title sounds like a episode of The Sopranos. But yes, I've definitely come to this from a security operations perspective. Working over the years in financial services and mobile payments companies, et cetera, fraud and credential stuffing and even kind of the more benign process of account creation, this is all kind of driving new ways for us to try to detect what's happening, right? Because the bot operators are trying to look as much like actual humans as possible. And that sophistication has grown by leaps and bounds over the past 4 or 5 years. So I'm coming this -- coming at this from not just a technology perspective, but as I talk to the CISOs and other security business leaders, they're talking about like what's the adverse effect to our business, right? If I'm a retailer and I'm selling product to bots, I mean, I'm still selling product, but there's a more nuanced business problem, which is I'm not selling product to actual users who want it. They're having to pay 2 or 3x extra on the secondary market to buy this product to say it's a rare product or something that's low inventory. And you're also missing out on the upsell and the relationship building opportunity as a retailer that you might not normally get that unless you're actually communicating with the end user and not just a bot. So there's a lot of different angles on this but it's definitely something to keep an eye on, for sure.

Well, I wanted to finish off this part by talking about our guest essay from Jeff Borman. And the fact that for us, security is a primary job skill. It is a primary concern, but for many of the people who run loyalty programs, it's an extra cost. It's something they don't necessarily want to spend money and time on. And that doesn't just apply to travel. That applies to anybody who's doing a lot of these types of programs. So it's a little scary when for us, as security professionals, to think about it and know that, hey, this may be the second or third-tier priority for a lot of companies who deal with it, but it really is something that needs some more attention. So credential abuse is huge. And I mean, we're talking about, what, nearly 100 billion over 2 years for all of our customers, and 64 billion of those were directly related to commerce. So if you're selling something, your commerce. And even worse, 90% of the credential abuse attacks we saw against commerce were directly against retail customers. So it's not a little problem. I mean, if you look at June 15, you're seeing just against a commerce customer, actually, a set of commerce customers 230 million credential stuffing attacks in that 1 day. I mean, Patrick, how do people actually even count that many attacks in 1 day if they're a merchant?

Yes. Hopefully, they don't have to. I mean, I think this is an area where prevention is certainly preferred to a reactive approach. But the volume is built over time. Every year, these grow. I think the important part is we're getting better telemetry. These may have been hidden years ago where these were taking place and there weren't systems in place to be able to quantify the volume. So I think that's -- maybe the optimistic look at this is we've got a much better tooling system to be able to see the and track the volume for an attack that maybe 5, 6 years ago was not quantifiable for most organizations.

And part of the issue, I think, we need to do is, I actually forgot to define what we even mean by credential abuse or credential stuffing or Tony, does it have a few other names that you can think of? And what does that mean to you?

Yes. I mean, credential abuse is kind of a broad term. Credential stuffing or password stuffing, these are all different processes attackers use to validate if one of the credentials that they've downloaded from another previously exposed username and password list, if it works on the site that they're testing it against. And all of this, the end goal, especially in hospitality and even in retail, the end goal is ATO, account take-over, right? So whereas credential abuse and credential validation, if you will, is what they should be calling it. Credential validation, that process might, for a certain group of attackers, that might be their main goal. Like they don't want to get into -- logging in as someone else and trying to steal loyalty points. They might just want to validate credentials. And then now that I have a valid account on a travel site, or a retail site, or a hotel site, now I can sell that for 5x as much as I bought the whole list for, right? So that's part of the process. But as you kind of look at credential abuse in loose terms, it's essentially the process of validating accounts. And then the next step after the validation is to log in as the user and then to commit fraud, some kind of fraud. So it's kind of the first early stage. And that's why Patrick was saying detection is so huge here. Imagine, with billions and billions of credential abuse attempts, if you're getting a Netcool alert or a SIM alert every time there was a credential abuse attack, right? This can't be managed by your typical infosec processes. You've got to put automation in front of this because, frankly, the attackers are using automation as well.

So where do all these attacks -- go ahead.

Yes. Just to build on something Tony said, I certainly remember, again, in the evolution here, years ago, we would often get a request for help from a customer basically saying I'm under a DDoS attack. And that's how this would manifest itself where maybe an adversary was not savvy enough to throttle their attacks, and they would bring down the whole authentication service based on the intensity with which they were testing credentials. So I think that kind of just speaks to the lack of visibility that the industry had at that time. I think these days, people are more educated about the threat and they know kind of what to look for. And if we do get that call for help, it's much more frequently the correct diagnosis of the problem where people are calling in and saying, "Hey, we're having a credential validation or a credential stuffing attack," versus not understanding why the authentication service may have fallen down as kind of the first indication of a problem.

So where is it all coming from? Quite frankly, most of it is coming from the U.S. And what we're looking at here, by the way, I do want to be clear, we're looking at commerce attacks. So U.S. is the greatest source and it's often the greatest target of commerce attacks. You can see on -- in the main column, how many of these we're seeing just against commerce on -- over 2 years. But you also can see on the right, what we're seeing as far as what we say here is global rank but what we really mean is overall ranking. So U.S., it's not just commerce, it's everywhere. China, it's not just commerce, it's everywhere. And 1 last thing to be really clear about here, when Akamai is talking about the source of an attack, we're talking about the last hop before it hits Akamai's servers. We're talking about not necessarily who is in control of it but who -- where the traffic itself is coming from? Attribution, all of the things related to that are a conversation that, yes, we probably don't have time for today or even this year, quite frankly, because of how complex it can get. I mean, Tony, can you give a couple of hints of how complex attribution is in a case like this?

Yes. It's definitely tricky. As you mentioned, this is not necessarily recording where the threat actor is located but rather where the host that they've compromised that they're using for their attack is located. So we've seen some interesting trends kind of rising over the past 18 months. One of them is the number of attacks that are originating from a -- like a single-use IP address, like this is the first time we've seen it before. That makes it an incredibly difficult to try to perform attribution because really, you're just seeing it for the first time. So you've never built any kind of data set around what that activity has been from that particular host. But also, if I'm attacking a U.S.-based retailer, I certainly don't want to come from some random data center in Croatia. I want to be coming from where the customers are coming from, right, in the United States. So the attackers are building this infrastructure to basically -- of proxy networks and different systems to use to look like real users. And another trend that's been kind of interesting to track is they're going so far as to compromising home-based IoT systems, right? Because these are all just running embedded Linux. And if I'm an attacker and I'm coming from the home IP space of Tony Lauro in Dallas, Texas, for instance, on AT&T Internet service, for instance, as a defender, it's much more difficult for me to positively say, "Hey, this is not Tony coming in trying to make a purchase because it looks so much like a real user." So again, the attackers are really trying to look as much like a human, real user from the same geographies within the same system sets and AS numbers that you would typically see real user traffic coming from. So attribution is definitely very difficult. And the other point there, the last point is, okay, so you attribute this problem to a threat actor, and maybe you issue some kind of takedown or whatever the case is. The problem is, is that there will always be more. There's always going to be new threat actors and there's always going to be a new threat. So you have to think of things, at least we do certainly, think of things from a big picture perspective. We're trying to stop the onslaughts. And if there's any other attribution that can be made from there, that's -- we're happy to help with that as well. But our goal is to stop the big problem that are facing our customers first.

So I had moved on the slide and I just wanted to point out something that Tony has already kind of hit upon, which is the U.S. is the biggest target. We're also the biggest importer, if you will, of attack traffic. But I also find it interesting that China is a big importer of attack traffic. They have more coming into China than they did going out of it. But again, as Tony said, this is where the companies are headquartered. So even though the servers might be all over the world, the company headquarters are in these different countries. Boy, does network analysis get really hard in the modern age. So moving on a little bit, let's actually get into specifics. We have here a actual -- well, not live now but this was one of the sales of credentials that was found as we were researching this. Quite frankly, the criminals aren't picky. They'll sell anything. They'll test it against systems. The 2 things to really be aware of with this 1 is, first of all, look at exactly how cheap it is to buy these accounts. You can get an account that's guaranteed good for $6. And this is not a super expensive account. There are some where you can get thousands of these accounts. In this case, it's 1 that's guaranteed. The other thing to notice is this merchant had been active for over a year at the time that we took the screenshot. This dark market has been shut down since then. So obviously, they're not still active. Patrick, do you have any thoughts on who's selling these things and what they're doing?

Well, to say that they're not still active, maybe you qualified that within this forum, right? I think this is a protection for some of these folks so they'll likely move to -- that's part of the business, right, where there's destruction of infrastructure and then they just move to the next piece. But I think you nailed it. I mean, this 1 is we don't want to overthink this. I mean, these are profit-motivated attacks. As Tony touched on, there's an ecosystem that often relies on different specializations, so the people that were responsible for what we saw on the first screen, the massive billions of requests that validate those credentials, they're then selling that on to the next member of that ecosystem, right, in the life cycle of that attack.

So again, another example of how these are being sold. In this case though, instead of selling access to an account where people could like order groceries and then go pick them up, they're offering up discount to gas prices. The thing to be aware of here is that the buyer is taking on a certain amount of risk when they're doing this because, while they actually have to physically be there to take on -- to take whatever, gas or groceries, and yes, that's a little bit of risk, I would say. So and you notice that's the same seller, by the way. Here's where it gets interesting is when we're talking about loyalty cards, where we're actually seeing it used for the points. I mean, 10,000 Hilton Honor points. Tony, do you travel much anymore? And do you have any idea of how many nights that you might be able to get for that because it's only going to cost you $3 for the account?

Yes. I mean, you typically can get a nice stay from 15,000 to maybe 30,000 for a really nice room, 35,000. But yes, I mean, this is definitely something where there's a direct benefit and the direct risk to the person who's using this, right? So what we see is that many times, the threat actors are basically trying to just be in part of this. Like nobody wants to own this whole process of credential validation and then ATO and then obviously committing fraud. But there are some people who are like, "Listen, you're never going to catch me. I'm in a country where it doesn't matter, and there's certainly hotels here that I can use. So I'm just going to transfer these off." You can also -- a lot of the loyalty points, you can transfer off for physical goods, right, the gift card, products, et cetera. So there's a lot of different ways that attackers can basically kind of money-mule the loyalty points out of the system into something that's beneficial for them.

Yes. And what we don't show here is that there are accounts or there are potential to buy that have 600,000 to 1 million points or more, and that's about $850. So yes, these are -- this is lucrative for the seller. Moving on. This is where from some of our discussion got really interesting because this goes beyond just selling the account. We have folks like this seller, Tetra Custom Hotel bookings, where they're giving a 35 -- 25% to 35% discount on booking travel, booking hotels. They do it by either having transferred loyalty points, by abusing discount programs, having insider access or third-party services are being abused. And this is apparently in some of the underground economies. This is really a big business. I mean, Patrick, do you [ hear ] certain things about this when you're out and about and how much of this is going on?

Yes. It's a large problem, right? And I think Tony touched on it. I mean, there's easy ways to monetize this directly or leverage the affordability that exists in these mature loyalty platforms. And then maybe 1 other thing to think about, right, I mean, we see a variety -- anything with a log-in is subject to the type of abuse we're describing here. But I guess maybe a difference if you were to go after credit cards versus going after loyalty, when you start dealing in moving credit cards and then you have the large fraud teams from the major credit card providers that are keeping an eye on you, here, it's up to each individual owner of that loyalty account to track this and to combat this themselves. So that also could be part of the calculation of why loyalty is so popular here. And it's not what we're talking about here today specifically with the loyalty programs being compromised, but maybe the first cousin of that challenge is really around gift cards, right? So any retailer that offers gift cards, which are a popular choice. They face a very similar threat where you have this automation that will attempt to identify a valid gift card that has some type of a balance so that somebody could then defraud the rightful owner of that gift card. So that's also something that the folks in this space -- a challenge that they all face as well.

Good point, good point. So how do they get a lot of this? Where are the attacks -- what types of attacks are leading to some of these compromises that create these large groups of accounts? Quite frankly, more than anything, it's SQL injection attacks. It's -- some of these sites might have some poor hygiene in their code and that means that an attacker can get to them. SQL injection is almost 79% of all of the attacks that we saw against commerce. Commerce is, what, the single biggest group, I think, for this type of attack. But 3.4 billion attacks against -- that's just SQL injection attacks against commerce. Tony, you want to take a quick second and kind of explain how people use SQL injection to get to what's behind the site?

Yes. I mean, what's interesting about this is that SQL injection has kind of always been one of the top attack types that we've seen, and OWASP Top 10 has included it for quite some time. But what's interesting is closely following that is normally local file inclusion and remote file inclusion. One is gaining access to a file that you probably shouldn't have access to on a web server. And the other 1 is making the web server execute a remote file that exists somewhere else. But all of this is really based on the principle of even if the database on the back end is secured, it's meant to take these SQL queries, right, because that's what the front end app is allowing it to do. And oh yes, that same database is probably being queried by other systems. So even if another system's not exposed to the web or exposed to a particular vulnerability, if I can use SQL injection to query that database and get access to data that may be hidden behind another application that is more secured, now I've got the best of both worlds, right? So that's why you see these things, SQL injection and LSI and RFI typically at the top because it's really showing the attacker's mindset is they're trying to get access to something they're not supposed to have access to. And that's typically why you see that as a top attack type there.

Now I'm going to hit the next one, the next slide relatively quickly because it shouldn't come as a surprise. We saw the earlier slides and heard what we said. The United States is the top target, period. And this goes for web application attack as well as everything else. It's where many of the customers we have are headquartered, it's where many of the customers that are doing online. But you see the growth in the United Kingdom and Germany and other places. Now where is it coming from? This 1 was a little surprising thing. Russia. I mean, we're seeing it coming out of Russia. We're seeing it out of the United States. But seeing Russia take that top spot was a little surprising. And I think that in large part, that comes back to what we call bulletproof hosting. Either 1 of you want to take a stab at explaining what a bulletproof hosting is or should I go for it?

Yes. Martin, I mean, it's pretty straightforward. I think in many countries, if there's a complaint about an organization hosting nefarious activity, there's a process to decommission that activity. There are other areas where attackers, as long as they maybe don't attack targets in their own geography, they're not really -- they're protected essentially from those type of takedowns. And Martin, maybe just to give a glass half-full on the breakdown of these web app attacks. It's interesting that cross-site scripting has worked its way down the list. So I think there's a bit of optimism there. What maybe that we're seeing is some of the IDEs and tools that developers leverage as those are more automated today. Some of those now will force a developer to use kind of a safe method. And if they use an unsafe method, in some cases, they have to actually explicitly include something in that language that acknowledges the danger there, right? So that could be why some of these things are being addressed and they're declining in popularity from attackers. I do feel like we are making progress in the software development life cycle, and maybe we're seeing that play out in terms of the popularity of some of those mechanisms we see.

Well, in the same spirit of talking about the positives, the Netherlands used to be one of the single biggest offenders, I hate to say it that way, but the single biggest sources and because of bulletproof hosting. But over the last few years, the law enforcement agencies there have done a lot of work to kind of shut some of those down. So we're seeing -- I mean, obviously, they're not #1 or #2, which is where they used to be a few years ago, almost every single report. So that's a good thing. But one of the things that Tony mentioned earlier is where are these attacks coming from? Actually, let me stop here for just a second saying if you've got questions, please put them in the Q&A. We'd love to answer your questions and we are kind of coming towards the end. So anything you want to know, let us know. But back to this particular issue, yes, I mean, this is how it happens. This is the raw material for much of the ecosystem where Ixigo got compromised. They lost 17.204 million records and those are out. As -- again, as Tony mentioned, they get used to fuel attempts to log in and create validated databases. And that's what this is all about. That's what -- where this all starts. Tony, you want to elaborate on that a little bit?

Yes. As I said before, I think what's interesting here is that there's no shortage of other organizations that are getting breached, right? I think one of the main goals is, and certainly from an Akamai perspective and our customers, we don't want your database through SQL injection or whatever other means to be compromised and end up as part of this list. Because 1 thing that's happened over the years, if you remember -- remember, you used to have like a unique username like ladiesman227, right? That wasn't mine but just as an example. But now all of your usernames are generally standardized on your e-mail address, right, which is, of course, unique to you and your own e-mail but it's also not private. It's something that is freely shared to the world. So now kind of 50% of the username/password combination guest process is already done. So you can take -- and this is where password stuffing comes in. You could take a single e-mail address and try the top 25 most used passwords. And if 1 of those hit -- and certainly, if you've used that e-mail address and a specific password somewhere else, what are the odds that you're using the same password on this other site that the attacker is testing against. So that's what the hackers are hoping for. And based on the results that we see, it works, right? People reuse passwords all the time and that's what's kind of fueling this in the first place. So the question would be, what can you put on top of that authentication process to better secure the user account? And that's the question that everyone's pointing at right now.

I think this is when I say, please use multifactor authentication wherever it's offered. Please use a password vault and randomized passwords anywhere you can. But that's off my soap box now. So at the end here, we kind of wanted to take this a little bit different direction because there's been a lot happening since we kind of cut off the data for the SOTI. Extortion DDoS, ransom DDoS. Patrick, I'm going to hand it to you because I think you're better suited to kind of explain what's been going on and what's happening on that than I am.

Yes, absolutely. I think things have gotten really interesting on the DDoS front. Unfortunately, right after the interval here we had for the SOTI, so the data here probably won't reflect what's been happening. But I think as we saw 2020 begin to emerge, there was a lot of concern from many of the organizations that I work with that we're really dependent on remote access now in a way that we weren't before. So we want to make sure that, that is protected with always-on DDoS mitigation. So that seemed to be kind of where everybody was focused. The good news is we haven't seen that become a major target, so we're not seeing targeted campaigns to take out remote access, even though that's -- organizations are more susceptible to that this year. But what we have seen is probably the most sustained and most organized DDoS extortion campaign that we've seen in years. And really, this is a really straightforward attack. It's send a sample DDoS attack or reference a successful DDoS attack that you've been able to commit against another organization, follow that up with a note to the organization requesting some Bitcoin against the threat of those attacks persisting. And when we say that this adversary is more organized, years ago, we would see the DDoS for Bitcoin campaigns and the extortion attempt would come in on a chat session with a customer service representative who was ill-equipped to know what to do with that. Some chances of that getting to the right team within the organization were low. We see a lot of recon these days where they're clearly on LinkedIn, and the extortion note goes directly to somebody who can action that, who knows what that threat is all about. The attacks have been as high as the hundreds of gigabits a second. So these aren't record-breaking attacks that are causing us to rewrite or redesign anything. They're pretty manageable if you have cloud protection. But these are big enough that if you don't have robust DDoS mitigation services in place, a couple of hundred gigabits a second will do damage, particularly if they're mixing in 9 or 10 different vectors as part of that. So there's -- it's certainly not all bark and no bite from these campaigns. There's been follow-through. And maybe something else that's remarkable about it is just the breadth, right? So typically, we'll see these campaigns focus on 1 vertical. So we saw people using the same names as these groups purport to be 2 years ago, but they only went after a set of financial services organizations in a limited geography. This campaign has, according to the FBI, more than 1,000 organizations have been targeted so it's across verticals, across geographies. That has been remarkable to follow just how pervasive these adversaries have been.

Tony, you've been dealing with this a lot as well, haven't you?

Yes. I remember in 2015, we saw a lot of activity from groups like [indiscernible] and Armada Collective and DD4BC. And some of those groups are part of this current active campaign. What is kind of speaking to what Patrick mentioned, there is a lot of sophistication here. One, just -- it was really surprising to us that they're actually getting these e-mails directly to the people who need to see them. I mean, as Patrick mentioned, we kind of joke sometimes too, like, yes, if you're sending an extortion note, you can't send it to someone who has no control over anything at the corporation. You have to send it to the people in charge or the people who are directly in that line of reporting. And sure enough, they've been doing that. But when you start to track the extortion process, like who has paid what to what Bitcoin wallet, et cetera, that's where it gets a little bit more interesting because in some cases in the past, we saw an extortion note that was e-mailed out. And the groups were so disorganized. It's like, "oh, October 21 came and left and we didn't get attacked. " Well, it's because the exertion group forgot to come back and attack you as they promised, right, because they're doing this to thousands of different people at the same time, they can't really manage that. This time around, it's been a lot more cooperative, so to speak, in terms of how they're working, assuming it's more than 1 person working this process across the group. The other thing, too, is that there's no guarantee that if you pay, they're not going to attack you or that if you pay, they're not going to say, "Hey, they've already paid. Maybe they'll pay us more if we threaten them again." You know what I mean? And also the copycat groups, it would be very easy for an attacker to say, "Hey, here's who we are," and points to some article that talks about an actual group that [ asks ] extortion. Pay money to this Bitcoin wallet. And sure enough, if you track those as well, those people are getting paid from time to time. So actually...

That, you bring up a very important point there is they claim to be this group or that group that have historically done these types of attacks. We really don't know. I mean, they can claim to be anybody they want, whether they're the real attacker or they're the copycat you mentioned, we just -- we have no idea who is really behind it at this point. That's going to be something that law enforcement has to figure out.

Yes. Yes, lots of times, there are some tells maybe in the e-mail and maybe in what they claim to know about the group that if you've been tracking the group for a while, what you actually know about them. And also when you see big changes in discrepancies across what Bitcoin wallet address they're putting into the ransom note, that can also tell you sometimes if it's part of the same campaign. Maybe they just changed Bitcoin wallets or maybe it's a copycat group just trying to piggyback. So yes, you're right. It is difficult to track that at a large scale.

And Patrick, one of the things -- go ahead.

Yes, just 1 more point there. Not necessarily attributing the attack to an individual from a law enforcement and takedown perspective, but when you look at the attacks, there are TTPs you can see there. So there are things that can give you some confidence that this shows all the hallmarks of being the same group based on the techniques and the type of attack that we're seeing when they follow through. So there are things you can do there to build some confidence that this is indeed the same crew because it's unlikely that somebody else would have an attack that would look so similar, right? So there are some things you can get there from the attack perspective to build some profiles. [indiscernible] you had a question.

Well, one of the other things that you said earlier that I really want to have you kind of come back to and highlight a little bit more, which is when we saw this 5 years ago, 7 years ago, it was mostly against finance. This, in some way, started against finance but then it's expanded. Could you talk a little bit about that and why it's not just 1 vertical? Everybody is being targeted by these groups right now.

Yes. That's true. I mean, it's hard to speak to their motivation, but they're -- I guess, maybe some organizations go whale hunting, right? Maybe they assume that going after the world's largest financial services organizations could net them larger kind of single payouts. Based on the pervasiveness of this campaign, it seems like they're at this more from a volume perspective, where they want to -- certainly, they're going after those type of targets in finance but then they quickly pivoted to other verticals, right? And they appear almost to have like a CRM, where they're so methodical, they're working kind of vertical by vertical. And we've seen that in limited perspectives before, but typically, that kind of fizzles pretty quickly. We've watched where you'll start getting calls from a vertical and then the next week, it'll be a different vertical. So you've seen that in the past, but this one, just much broader in their targeting than we historically see.

And that actually brings us to the end of the general discussion. If you've had any questions, please type them in now, and we'll answer what we can. But as we're heading -- as we're kind of closing this off, Tony, I'll let you go first. What are kind of the thoughts you want people to take away from today's discussion?

Well, I think the biggest thing for me is that the attacker tool set and tactics and ecosystem has continuously been growing. The types of attack tools, I mean, even in the case of DDoS, every once in a while, we'll see a very novel DDoS attack that has different attack vectors we haven't seen or maybe they're mixing multiple attack vectors, et cetera. But when it comes to retail and hospitality, especially from the fraud perspective, it's a lot more bespoke, right, because they're not trying to take down a system. In fact, what they're trying to do is interact with the system as though a normal user would, right? I mean, it's 1 thing to say, "Hey, I want to get super user access or root access on the system and download a database." That's 1 flaw. But more often than not, it's a more nuanced approach to trick you into thinking you're communicating with a valid user account, right? So this is where identity protection and multifactor authentication and things like that kind of fit into this big picture because just knowing if it's a bot or a user, I mean, heck, there's a lot of this communication that, especially for credential abuse that happens over APIs, in fact, to a tune of 4 or 5x the amount of credential abuse attacks, we've reported this in previous SOTIs, is targeting mobile APIs. And the basic reason is, one, because you assume that the API traffic is machine-to-machine or application-to-machine traffic, right, from your mobile application and you're logging into the loyalty site, for instance, but the attackers take those calls and they make something different happen over that API call. So as you look at kind of how attackers are expanding that process, they're really trying to, again, integrate more of what a real user looks like and then take advantage of the things that they can under that assumption.

So we've got 1 question so far from Andre. Can we discuss the recommendation for 2-factor authentication methods for loyalty programs? I mean, from my point of view, it's not necessarily that a consumer can enable this, but it's that -- if it's being enabled, we should be taking advantage of it as consumers. But Patrick, I'm going to turn this over to you. What should the people responsible for the loyalty programs be looking at instantiating and making accessible for people like end users like you and me?

Yes. I mean, this is where sort of the battle between the user experience and security comes to a head, right? So certainly, application-based MFA is not perfect but it would certainly make things more difficult for the adversary. But many organizations may not want to do that for everybody. So I think we're working with our customers to help give them signals around the risk of a request, so that maybe you get into more of the model versus maybe you start with sort of a risk-based step-up where I typically am traveling 80% of the time, but the last couple of months, I am pretty much locked into a particular geography and network. So if all of a sudden, I were to pop up at a distant location, that will be risky. Along with some of the indications, is it a human? Is it a bot? So I think that's where we're trying to partner with our customers to strike that balance between friction and applying that for can at a smart point of interaction selectively. But in general, wherever we can introduce that MFA, that would be helpful along the way.

And do you have any closing thoughts, Patrick, beyond that?

Yes. So I think looking at this report, Martin, I think you pulled together an interesting report, so thank you and Steve for the research there. But it correlates with other trends that I see. So everything we've talked about today has been attacks targeting the web front-end of the business. And given everything that's happened in 2020, there's a lot of face-to-face interactions that can't take place. But everything web-related is off the charts, right? I mean, the traffic is breaking records. I think every 1 of the types of web attacks that we measure, as you highlighted here, they're all up. Sometimes, you'll see these dips in credential stuffing where it slows down for a bit and then picks up. But we haven't really seen that cessation and attack volume occur. So I think that correlates what we see. And then the other thing that just jumps right out is if you look at the Verizon DBIR, it just seems like authentication is the preferred vulnerability or weak point that people are targeting, right? So account root forcing, whether it's to get into the network for employees or on the consumer side that we're highlighting here, that's where the breaches tend to be occurring. So it's no surprise that we're seeing the increase here.

I'm always for giving props to the folks over at that on the DBIR team. They're friends and we help contribute to some of that data, so glad you brought that up. My closing thought. A lot of this goes back to the multifactor authentication and the need for password vaults. It just does. I mean, that's from a consumer side but it -- we can't necessarily rely on everybody to be good from the consumer side and use complex passwords so we should be -- they should be using password vaults. I use one, you use one. Most of the people on this call probably use one. But we need to encourage that more. And on the other side, we also need to encourage more companies to use multifactor authentication of some form. Even if it's just, hey, I'm sending your phone a text, which, yes, there's lots of ways to get around it. But even that is 1 more hurdle the bad guy has to overcome and makes it that much more expensive to compromise that account and therefore makes it less likely that they're going to try those accounts. So retail and travel and hospitality are some of the biggest targets around this is something that's indicative across multiple vector, across multiple types of companies. So as -- not as an industry but as an organization, no, that's not even the right term. As a career path, security professionals need to be pushing that at companies that have remote lock-ins as much as possible. Well, gentlemen, thank you very much for joining me on the call today and sharing opinions with everybody. So you can find more about the Akamai State Of The Internet Security report at akamai.com/soti. And I was serious, we have put the slides out from this presentation. Please use them. We would love to see people using them themselves. Patrick, have a good rest of your day.

Thanks, Martin.

And Tony, stay out of trouble. I know it's hard but you can do it.

I will try my best. Thanks, Martin. Everyone, thanks for being here. Have a good day.

And with that, we're done.