searchtwitterarrow rightmail strokearrow leftmail solidfacebooklinkedinplusangle upmagazine plus
Help Net Security - Daily information security news with a focus on enterprise security.
Help Net Security - Daily information security news with a focus on enterprise security.
  • News
  • Features
  • Expert analysis
  • Videos
  • Events
  • Whitepapers
  • Industry news
  • Product showcase
  • Newsletters
Zeljka Zorz
Zeljka Zorz, Editor-in-Chief, Help Net Security
June 21, 2016
Share

Botnet-powered account takeover campaign hit unnamed bank

A single attacker has mounted two massive account takeover (ATO) campaigns against a financial institution and an entertainment company earlier this year, and used a gigantic botnet comprised of home routers and other networking products to do it.

“ATO attacks (also known as credential stuffing) use previously breached username and password pairs to automate login attempts. This data may have been previously released on public dumpsites such as Pastebin or directly obtained by attackers through web application attacks such as SQLi,” Akamai threat researcher Ryan Barnett explained.

The goal of the attacks is to identify valid login credential data, and either sell it on underground forums or use it to gain access to the accounts and, where possible, buy giftcards, cash out value from reward programs, etc.

The company identified the two campaigns by analyzing web login transactions across their customer base.

The attacker used an account-checking tool that had proxy capabilities, so that the login requests can be made to come from many different IP addresses.

In the campaign against the financial company, 993,547 distinct IPs were used. In that against the entertainment company, 817,390.

“When cross-referencing the attacking sources from both of these targeted campaigns, we identified that 778,786 IPs (more than 70% of the campaign participants) were attacking both customer sites,” Barnett noted. This made them conclude that the attacker is one and the same.

The login attempts came from proxy servers, but also from networking equipment. The researchers identified a big cluster of compromised Arris cable modems located in Mexico participating in the attacks, as well as compromised ZyXel routers/modems.

“ATO may be considered a subset of brute force attacks, however it is an increasing threat because it is harder to identify such attacks through traditional individual account authentication errors,” Barnett pointed out.

With the latest leaks of login credentials belonging to LinkedIn, MySpace, Tumblr, VK, and other online services’ users, attackers such as these have much data to use for future login attempts.

And with hard-coded, default credentials effectively opening backdoors in many SoHo networking equipment, botnets comprised of these devices are here to stay.

More about
  • account hijacking
  • banks
  • botnet
Share this

Featured news

  • Critical JetBrains TeamCity vulnerability could be exploited to launch supply chain attacks (CVE-2023-42793)
  • Cl0p’s MOVEit attack tally surpasses 2,000 victim organizations
  • Has Sony been hacked again?
Download: Ultimate guide to Certified in Cybersecurity

Sponsored

eBook: 9 Ways to Secure Your Cloud App Dev Pipeline

Free entry-level cybersecurity training and certification exam

Guide: Attack Surface Management (ASM)

Don't miss

Critical JetBrains TeamCity vulnerability could be exploited to launch supply chain attacks (CVE-2023-42793)

Cl0p’s MOVEit attack tally surpasses 2,000 victim organizations

Has Sony been hacked again?

Are developers giving enough thought to prompt injection threats when building code?

5 free vulnerability scanners you should check out

Cybersecurity news
Help Net Security - Daily information security news with a focus on enterprise security.
© Copyright 1998-2023 by Help Net Security
Read our privacy policy | About us | Advertise
Follow us