A single attacker has mounted two massive account takeover (ATO) campaigns against a financial institution and an entertainment company earlier this year, and used a gigantic botnet comprised of home routers and other networking products to do it.
“ATO attacks (also known as credential stuffing) use previously breached username and password pairs to automate login attempts. This data may have been previously released on public dumpsites such as Pastebin or directly obtained by attackers through web application attacks such as SQLi,” Akamai threat researcher Ryan Barnett explained.
The goal of the attacks is to identify valid login credential data, and either sell it on underground forums or use it to gain access to the accounts and, where possible, buy giftcards, cash out value from reward programs, etc.
The company identified the two campaigns by analyzing web login transactions across their customer base.
The attacker used an account-checking tool that had proxy capabilities, so that the login requests can be made to come from many different IP addresses.
In the campaign against the financial company, 993,547 distinct IPs were used. In that against the entertainment company, 817,390.
“When cross-referencing the attacking sources from both of these targeted campaigns, we identified that 778,786 IPs (more than 70% of the campaign participants) were attacking both customer sites,” Barnett noted. This made them conclude that the attacker is one and the same.
The login attempts came from proxy servers, but also from networking equipment. The researchers identified a big cluster of compromised Arris cable modems located in Mexico participating in the attacks, as well as compromised ZyXel routers/modems.
“ATO may be considered a subset of brute force attacks, however it is an increasing threat because it is harder to identify such attacks through traditional individual account authentication errors,” Barnett pointed out.
With the latest leaks of login credentials belonging to LinkedIn, MySpace, Tumblr, VK, and other online services’ users, attackers such as these have much data to use for future login attempts.
And with hard-coded, default credentials effectively opening backdoors in many SoHo networking equipment, botnets comprised of these devices are here to stay.