A group of Russian hackers is launching cyberattacks to steal user credentials from at least 85 companies. Targets include Amazon, American Airlines, AT&T, Best Buy, Wells Fargo, DropBox, Dunking Donuts, Ebay, GoDaddy, Uber, Match.com, McDonald’s, Office Depot, PayPal, Pizza Hut, Steam, Apple Pay, and others.
Configuration files being used in the attacks were intercepted by a private darknet security group, and copies were provided to Epoch Times. Data is still thin on who the individuals behind the attacks are, although they appear to be common cybercriminals and not tied to any government operations. They were speaking Russian in their online chats, and were using Russian servers.
Ed Alexander, a darknet investigator who provided the information, said with the attacks on Apple Pay, in particular, he saw the hackers “capturing card numbers and full identities,” which even included answers to personal questions users are asked when they seek to recover lost passwords.
“When I saw this file earlier this week, I took my iPhones off Apple Pay,” he said.
With the attacks targeting Steam, one of the most popular video game platforms, with an estimated 125 million active users, the Russian hackers were seen stealing user emails and passwords. By gaining access to the accounts, the hackers gain access to virtual items in each user’s account, which they can sell for virtual currencies or through online auction websites for real money.
The hackers had cyberattack files customized for each company they were targeting, and Alexander was able to provide copies of the attack files. The files were individual configurations for a black market cracking tool known as Sentry MBA.
Sentry MBA uses what’s known as “credential stuffing,” which takes advantage of users who use the same usernames and passwords across multiple websites. If a website gets breached somewhere and, for example, 10,000 user credentials from the hacked site get sold on hacker websites, hackers can buy these accounts and use them with Sentry MBA to test whether any of the logins work on another site or service.
The Sentry MBA tool has largely replaced the older methods for “brute forcing” that randomly-generates passwords on a massive scale until it’s able to find the correct password for an account.
The customized Sentry MBA configuration files used by the Russian hackers are designed to bypass security protocols unique to each website—such as CAPTCHA to ensure logins are from humans and not bots, and systems that block multiple login attempts.
Sentry MBA is extremely effective, since it’s common for people to use the same usernames and passwords on multiple services. For example, in 2010, close to 1.5 million users had their data released online after Gawker was breached; and in 2011, more than 93,000 users had their information hacked on Sony’s PlayStation Network. According to software security community OWASP, about two-thirds of users from the Sony attack used the same credentials on Gawker.