searchtwitterarrow rightmail strokearrow leftmail solidfacebooklinkedinplusangle upmagazine plus
Help Net Security - Daily information security news with a focus on enterprise security.
  • News
  • Features
  • Expert analysis
  • Videos
  • Reviews
  • Events
  • Reports
  • Whitepapers
  • Industry news
  • Product showcase
  • Newsletters
  • (IN)SECURE Magazine
Zeljka Zorz
Zeljka Zorz, Editor-in-Chief, Help Net Security
June 21, 2016
Share

Botnet-powered account takeover campaign hit unnamed bank

A single attacker has mounted two massive account takeover (ATO) campaigns against a financial institution and an entertainment company earlier this year, and used a gigantic botnet comprised of home routers and other networking products to do it.

“ATO attacks (also known as credential stuffing) use previously breached username and password pairs to automate login attempts. This data may have been previously released on public dumpsites such as Pastebin or directly obtained by attackers through web application attacks such as SQLi,” Akamai threat researcher Ryan Barnett explained.

The goal of the attacks is to identify valid login credential data, and either sell it on underground forums or use it to gain access to the accounts and, where possible, buy giftcards, cash out value from reward programs, etc.

The company identified the two campaigns by analyzing web login transactions across their customer base.

The attacker used an account-checking tool that had proxy capabilities, so that the login requests can be made to come from many different IP addresses.

In the campaign against the financial company, 993,547 distinct IPs were used. In that against the entertainment company, 817,390.

“When cross-referencing the attacking sources from both of these targeted campaigns, we identified that 778,786 IPs (more than 70% of the campaign participants) were attacking both customer sites,” Barnett noted. This made them conclude that the attacker is one and the same.

The login attempts came from proxy servers, but also from networking equipment. The researchers identified a big cluster of compromised Arris cable modems located in Mexico participating in the attacks, as well as compromised ZyXel routers/modems.

“ATO may be considered a subset of brute force attacks, however it is an increasing threat because it is harder to identify such attacks through traditional individual account authentication errors,” Barnett pointed out.

With the latest leaks of login credentials belonging to LinkedIn, MySpace, Tumblr, VK, and other online services’ users, attackers such as these have much data to use for future login attempts.

And with hard-coded, default credentials effectively opening backdoors in many SoHo networking equipment, botnets comprised of these devices are here to stay.




More about
  • account hijacking
  • banks
  • botnet
Share this

Featured news

  • The challenges and advantages of building behavior-based threat detection
  • Product showcase: Group-IB Unified Risk Platform
  • How businesses are prioritizing data privacy
Detection, isolation, and negotiation: Improving your ransomware preparedness and response

What's new

New infosec products of the week: July 1, 2022

Product showcase: Group-IB Unified Risk Platform

The challenges and advantages of building behavior-based threat detection

Infosec products of the month: June 2022

Don't miss

The challenges and advantages of building behavior-based threat detection

Product showcase: Group-IB Unified Risk Platform

Evaluating the use of encryption across the world’s top one million sites

Evolving online habits have paved the way for fraud. What can we do about it?

How businesses are prioritizing data privacy

Help Net Security - Daily information security news with a focus on enterprise security.
Follow us
  • Features
  • News
  • Expert Analysis
  • Reviews
  • Events
  • Reports
  • Whitepapers
  • Industry news
  • Newsletters
  • Product showcase
  • Twitter

In case you’ve missed it

  • OT security: Helping under-resourced critical infrastructure organizations
  • How to keep your NFTs safe from scammers
  • Is your organization ready for Internet Explorer retirement?
  • Attackers aren’t slowing down, here’s what researchers are seeing

(IN)SECURE Magazine ISSUE 71.5 (June 2022)

Several of the most pressing topics discussed during this year’s Conference included issues surrounding privacy and surveillance, the positive and negative impacts of machine learning and artificial intelligence, the nuances of risk and policy, and more.

Read online
© Copyright 1998-2022 by Help Net Security
Read our privacy policy | About us | Advertise