Cybersecurity researchers have exposed a massive fraud operation that targets e-commerce companies in account takeover attacks.
Sift, a fraud prevention firm announced on Thursday that the hacker ring, dubbed Proxy Phantom, is employing over 1.5 million sets of stolen account credentials in automated credential stuffing assaults against online retailers.
Credential stuffing attacks usually depend on a large number of stolen or leaked credentials-username and password pairs-for one website and tests them on the login pages of other websites. The attacker’s motive is to secure unauthorized access to as many user accounts as possible and then carry out other assaults or fraudulent schemes.
According to the estimation of Sift’s researchers, only 0.1% of credential stuffing assaults are successful. However, given the low success rate, you can attempt thousands of account combinations at the same time, these attacks can still be useful – particularly when employed against businesses or financial services.
Proxy Phantom "flooded businesses with bot-based login attempts to conduct as many as 2,691 login attempts per second,” as per Sift's Q3 2021 Digital Trust & Safety Index. Scammers also employed connected and rotating IP addresses to make the queries appear to stem from different geographical areas and primarily targeted e-commerce platforms and online services.
"As a result, targeted merchants using rules-based fraud prevention methods would be forced to play a supercharged, global game of "whack-a-mole," with new combinations of IP addresses and credentials (likely purchased in bulk on the dark web) coming for them at an unthinkable pace," Sift stated.
The study further reports that account takeover attacks identified by the company jumped by 307% over Q3. Specifically, the financial sector is a top target, including cryptocurrency exchanges and digital wallet services.
Earlier this month, Netacea, a UK-based software firm released an index documenting the actions of scalper bots. These automated systems are manufactured to defeat online queues for high-ticket products like concert tickets and gaming consoles in order to resell and generate a profit for their operators.
“Fraudsters will never stop adapting their techniques to overwhelm traditional fraud prevention, making suspicious logins look legitimate, and legitimate ones look suspicious. At the same time, poor consumer security habits—like reusing passwords for multiple accounts—make it easy and continue to breathe life into the fraud economy,” stated Jane Lee, trust and safety architect at Sift.
“To proactively secure customer accounts and fuel expansion into new markets, merchants need to adopt a Digital Trust & Safety strategy to stop these advanced attacks before they shatter consumer loyalty and stifle growth,” she added.
