Password reuse bot steals creds from weak sites, logs in to banks

The perils of password re-use have been laid bare with the discovery of a botnet dedicated to finding account credentials on websites and testing the logins it finds on banks.

The work is clever since it avoids tripping botnet detection and brute force rate limiters in place at most security-savvy banks, but absent across the wider web.

It is likely to work too: wholly unscientific statistics indicate password reuse is a lazy habit of anywhere from 15 percent to 60 percent of users, possibly more.

Antiquated mandatory corporate password resets further pushes users to select easy and reused passwords, rather than remember a complex and unique one, or employing password lockers.

News of the password-purloining practice appeared in security firm ThreatMetrix's new cybercrime report (PDF).

That document says botnet attacks have evolved from just being large volume distributed denial of service (DDoS) or spam attacks, to low-and-slow bots, designed to evade rate and security control measures and mimic trusted customer behavior and login patterns.

"Once the fraudsters get a new list of user credentials from the dark web they launch a series of attacks targeting multiple sites to run massive credential testing sessions," researchers wrote.

"These attacks result in huge spikes over a couple of days with sustained transaction levels of over 200 transactions a second as they slice down the list.

"Once they get a hit at any site, the fraudsters take this curated list of known combinations of passwords and logins to other sites to launch attacks at a slower velocity."

The team says the lower-velocity efforts which accounted for some 264 million attacks this year are harder to detect.

Content houses like Netflix, Spotify, and others may serve as initial targets because they harbour so many accounts and impose "modest sign up requirements".

"These can be easily created or breached thanks to user password sharing across sites and the large number of data breaches exposing these key credentials."

They say fraudulent account registrations on media sites increased 175 per cent over the last 12 months.

Researchers also noted attackers using various surge and grouping tricks for botnets that mount barrages of fraudulent transactions against retailers. ®