Automating Online Hijacking Attacks

Internet-of-Things devices are a boon for cybercriminals in ways that don’t necessarily directly impact the owner. Connected gadgets you have hooked to the home network can help crooks hijack online accounts of other people. The power of smart gadgets is enough to automate a process known as a credential stuffing attack.

Convenience is a big mistake when choosing passwords to protect your web accounts. Security professionals have warned users for years against using the same password for multiple online services. If the bad guys get their hands on one set of credentials, they can cycle it through other services to see if any of them unlocks.

Cybercriminals used to do this manually, but these days they use tools available on clearnet to automate the process. These utilities run with configuration files called Configs – scripts that allow interaction with web pages and determine the elements to target: the username and password fields.

The mechanism is simple: hackers breach websites and steal data that includes credentials, then crack the passwords themselves or sell the database to other criminals that can do it. The cracked passwords are then assembled into lists and fed to the automated credential stuffing machine. According to statistics, the yield is up to 5%, far from negligible when lists have tens of millions of combinations.

Botnets are the perfect instrument to run credential stuffing attacks. The larger the number of devices, the quicker the checking of the list. And IoT devices come in huge numbers, are extremely easy to compromise, and connect to the internet 24/7. Getting them to run scripts and return the results to the attacker would not be difficult.

Akamai, a company that offers protection against distributed denial-of-service (DDoS), investigated fraudulent login activity targeting a credit union in North America. The botnet behind the attack had 20,000 devices, and 95% of the traffic seemed generated by Samsung Galaxy SM-G531H smartphones. This suggests the use of an automated tool, which often uses a static or default user agent.

Your first line of defense against this type of attack is to select unique, strong passwords for online accounts. Where possible, security experts recommend enabling two-factor authentication (2FA) to ensure that, even if your password is cracked, the attacker can’t use it without a second challenge that is more difficult to get – typically temporary code sent to you via email or SMS, or generated on a device of your own via authentication apps.

Image credit: TheDigitalArtist