Akamai threat researcher Ryan Barnett has reported two instances of account takeover (ATO) campaigns. Mr. Barnett revealed that the attacks were performed by a single entity. The hacker targeted a financial institution and an entertainment company. The campaigns were carried out through a huge botnet. The attacker used home routers and other networking products to put his plan into fruition.
The attacks were conducted earlier this year. Mr. Barnett took the time to explain the severity of the issue: “ATO attacks (also known as credential stuffing) use previously breached username and password pairs to automate login attempts. This data may have been previously released on public dumpsites such as Pastebin or directly obtained by attackers through web application attacks such as SQLi.”
The campaigns were conducted to obtain valid login credentials for user accounts. Upon doing so, the hacker could sell them on darknet forums or use them himself. Possessing the credentials to a given account gives the individual access to it. Depending on the security level, it could be possible to conduct certain financial operations. For instance, the attacker can buy giftcards or cash out value from reward programs.
For the purpose of the research, Akamai did an analysis of the customer base of both companies. They compiled information from the web login transactions which occurred during the attacks. The analysis found similarities between the two campaigns. In both instances, the attacker used an account-checking tool with proxy capabilities. This way, he could make the login requests come from a lot of distinct IP addresses.
993,547 different IP addresses were used in the campaign for the bank. The attack on the entertainment company made use of 817,390 IPs.
Mr. Barnett explained the results from the research: “When cross-referencing the attacking sources from both of these targeted campaigns, we identified that 778,786 IPs (more than 70% of the campaign participants) were attacking both customer sites.” This is how the company determined that the two campaigns were conducted by the same attacker.
The company ran a technological investigation on the attacks. They discovered that both proxy servers and networking equipment were used in the login attempts. The research team located a cluster of compromised Arris cable modems in Mexico. ZyXel routers and modems were also found to take part in the attacks.
“ATO may be considered a subset of brute force attacks, however it is an increasing threat because it is harder to identify such attacks through traditional individual account authentication errors,” Mr. Barnett added.
ATO attacks could pose an increasing threat in the near future due to the recent leaks of login credentials. LinkedIn, MySpace, Tumblr, VK, and other platforms have recently been the victim of user credential theft.
Possessing login credentials makes it possible to penetrate different types of SoHo networking equipment. We can expect botnets to continue using home routers and networking equipment for their attacks on many occasions.