Zola, a wedding planning website, confirmed that hackers had managed to access the accounts of a number of users and tried to initiate fraudulent cash transfers.
Zola’s director of communications confirmed that the unauthorized access took place through a credential stuffing attack. Zola does not currently provide any two-factor authentication for account users, making credential stuffing attacks far easier to achieve.
Cyber experts from across the community shared their perspectives on this attack/attack type:
Arti Raman, CEO and Founder, Titaniam
“As the recent Zola data breach proved, information can be accessed using exposed credentials, allowing hackers to access your personal information and steal underlying data. To keep customer PII safe and minimize the risk of extortion, encryption, specifically data-in-use encryption, also referred to as encryption-in-use, is recommended.
"Data-in-use encryption provides unmatched immunity. Should adversaries break through perimeter security infrastructure and access measures, data-in-use encryption keeps the data and IP encrypted and protected even when it is being actively utilized. This helps neutralize all possible data-related leverage and limits the need for breach disclosure.”
Tyler Farrar, CISO, Exabeam
“Credential theft has become one of the most common and effective methods cyberthreat actors use to infiltrate organizations of all sizes and access sensitive data. Credential-driven attacks, like this instance with Zola, are largely exacerbated by a ‘set it and forget it’ approach to identity management. Organizations must build a security stack that is consistently monitoring for potential compromise. Businesses across all industries can invest in data-driven behavioral analytics solutions to help detect malicious activity. These analytics tools can immediately flag when a legitimate user account is exhibiting anomalous behavior indicative of credential theft, providing greater insights to SOC analysts about both the compromised and the malicious user, which results in a faster response time.”
Gunnar Peterson, CISO, Forter
“The compromise of multiple Zola user accounts provides both security and fraud prevention lessons. In regards to security, there is an influx of bad actors using automated tools like botnets and machine learning to engage in ongoing attacks against consumer-facing websites like this one. With automated tools, they commit account takeover fraud using techniques like credential stuffing and brute force attacks.
To succeed against dynamic cybercriminals, organizations must build a learning system that evolves over time to keep up with attacker tactics. Identity graph technologies can help savvy organizations recognize attacker tactics across the whole identity lifecycle, including provisioning and account maintenance.
The credential stuffing tactics also led to digital commerce fraud. In this case, it appears credentials were purchased on the dark web, and associated bank accounts were used to buy gift cards and make purchases. Retailers can actually apply similar identity-based principles to fraud prevention to catch these fraudsters in the act.
Fraud prevention teams must look beyond basic attributes and work to identify patterns with less conventional characteristics. Surfacing those patterns takes sophisticated technology and making decisions on transactions accurately and instantly. Thus, the most effective way to combat gift card fraud is not to focus on the transaction but instead the identity behind the transaction. Merchants must block bad actors across the digital commerce funnel and across channels to protect their consumers and their profits.”