Innovative Proxy Phantom ATO Fraud Ring Haunts eCommerce Accounts

The group uses millions of password combos at the rate of nearly 2,700 login attempts per second with new techniques that push the ATO envelope.

A sophisticated fraud ring, dubbed Proxy Phantom, has pushed the boundaries of credential-stuffing attacks with a dynamic account takeover (ATO) technique that was flooding eCommerce merchants in the third quarter.

Researchers at Sift uncovered the group, which is innovating in the realm of large-scale, automated ATO attacks, they said. Specifically, Proxy Phantom specializes in using a massive cluster of connected, rotating IP addresses to automatically try more than 1.5 million stolen username and password combinations against various log-in screens. The third-quarter attacks affected dozens of online merchants, but the next targets could be in any number of sectors.

“The group flooded businesses with bot-based login attempts to conduct as many as 2,691 log-in attempts per second—all coming from seemingly different locations,” the researchers explained in a Thursday analysis. “As a result, targeted merchants … would be forced to play a supercharged, global game of whack-a-mole, with new combinations of IP addresses and credentials coming for them at an unthinkable pace.”

Infosec Insiders Newsletter

The username/password combos were likely purchased in bulk on the Dark Web, the report noted. Ongoing credential theft and the collation of multiple breaches into vast collections has made underground forums home to a wonderland of login offerings, fueling an ongoing ATO boom. But what really set the Proxy Phantom attacks apart was the use of dynamically generated IP addresses from which it launched the campaigns.

Researchers observed several large IP clusters (networks of connected IPs) blossoming across the web, with one of them ballooning 50-fold within the space of one quarter. Many of these were “originating from a known, high-risk ISP, and indicating a fraud ring in action,” they noted.

“While it’s inevitable that will grow over time, this specific one exploded in size,” according to Sift. “In analyzing its traffic, our data scientists discovered that the cluster was centered around just a few proxy servers, and connected to scores of attempted, failed logins—pointing to automation and proxy IP rotation within the same address space.”

This is a remodel of typical ATO techniques that’s aimed at making a greater impact, researchers noted. Simultaneously and rapidly switching IP addresses helps cyberattackers to hide the origin of the attacks, while also evading detection from typical rules-based fraud prevention systems.

“Typically, fraud rings use a handful of IP addresses or hosts and cycle through a large list of stolen user credentials to breach a merchant’s security measures,” according to the firm. “By leveraging automation for both credential and IP address rotation, this ring exhibited a major evolution of the classic blitz ATO attack.”

The fraud-detection evasion is particularly concerning, the analysis pointed out, because the sheer volume of login attempts could end up fogging security systems altogether.

“These types of next-gen attacks could crush a merchant…leaving them stuck trying to block one IP address after another and trying to catch up to a machine that rotates data faster than any human or static rules could,” according to the firm. “Worse, it could overwhelm those rules — as more IPs show up and fail at breakneck speed, rules designed to assess risk will begin to identify everything as suspicious, deeply undermining the accuracy of the system.”

ATO Attacks See Staggering Uptick

Sift also released its Q3 2021 Digital Trust & Safety Index on Thursday, which shows that ATO attacks have tripled (up 307 percent) just since April 2019.

This attack method made up 39 percent of all fraud blocked on Sift’s network in Q2 2021 alone, the company noted.

“Fraudsters will never stop adapting their techniques to overwhelm traditional fraud prevention, making suspicious logins look legitimate, and legitimate ones look suspicious,” said Jane Lee, trust and safety architect at Sift, in a statement. “At the same time, poor consumer security habits—like reusing passwords for multiple accounts—make it easy and continue to breathe life into the fraud economy.”

The fintech and financial services sector in particular is under attack, the report found. ATO attacks in this vertical skyrocketed a staggering 850 percent between Q2 2020 and Q2 2021, “mainly driven by a concentration on crypto exchanges and digital wallets, where fraudsters would likely try to liquidate accounts or make illicit purchases,” Sift found.

Additionally, nearly half (49 percent) of consumers surveyed as part of the report feel most at risk of ATO on financial services sites compared with other industries, with a full quarter of ATO victims noting their compromises came via financial services sites.

The report also found that victims of ATO fraud are usually in for a long haul of misery. For instance, almost half (48 percent) of ATO victims have had their accounts compromised between two and five times.

In each attack, 45 percent had money stolen from them directly, while 42 percent had a stored payment type used to make unauthorized purchases. More than one in four (26 percent) lost loyalty credits and rewards points to fraudsters.

Nearly one in five (19 percent) of victims are unsure of the consequences of their accounts being compromised – perhaps because cybercriminals used the accounts for testing.

“More often than not, nothing happens to corrupted accounts immediately after they’ve been hacked – no unauthorized purchases, no stolen loyalty points, and no attempts to update passwords,” according to the report. “And that’s because they’re being used for something even more valuable.”

To wit: active accounts offer the most prolonged cover for fraudsters to perform card testing, as well as test the user’s credentials across their other high-value accounts, which may use the same information.

“Fraudsters can use this veiled position to verify associated addresses and other personal customer data, correlate security codes and password hints, discover other cards on file to target and reveal connected accounts or apps – all without making a purchase or otherwise tipping their hand,” Sift noted.

Check out our free upcoming live and on-demand webinar events – unique, dynamic discussions with cybersecurity experts and the Threatpost community.

Suggested articles