Hackers Use Atlantis AIO Tool to Automate Account Takeover Attacks
Threat actors are using a tool available on the dark web to automate credential-stuffing attacks, allowing them to rapidly scale their malicious efforts by testing millions of stolen credentials in rapid succession.
The e-crime tool, Atlantis AIO, is the latest example of how automation technologies, including AI and machine learning, are giving cybercriminals significantly greater capabilities to more easily run their attacks at scale.
“By offering pre-configured modules for targeting a range of platforms and cloud-based services – particularly email providers – it allows cybercriminals to launch credential stuffing attacks at scale with minimal effort,” threat researchers with Abnormal Security wrote in a report this week. “This automation facilitates large-scale fraud, data theft and account takeovers.”
In credential-stuffing attacks, hackers armed with lists of stolen credentials try to gain access to various online accounts, such as email, banking, e-commerce and social media, that use the same usernames and passwords. They take advantage of users’ habits of using the same credentials for multiple accounts, a practice that organizations try to guard against but is used by people who often have more 100 password-protected accounts.
Often, the credentials are stolen during data breaches or phishing attacks and made available for sale on underground forums. Bad actors can use the access gained from the stolen credentials to take over accounts.
Automation is Key
“These attacks typically rely on automated tools to quickly test large numbers of stolen login details on different websites in rapid succession,” the researchers wrote. “If any of the login attempts work, the threat actor can take over the account, which can lead to stolen funds, leaked personal information, or fraud. They can also use the account to launch additional attacks.”
Account takeover (ATO) attacks are a growing problem. Cybersecurity firm Huntress last month pointed to a report that showed a 354% year-over-year increase in such attacks in 2023 and AARP reported that ATO fraud resulted in almost $13 billion in losses the same year.
While automation can help cybersecurity efforts, it is also increasingly used by cybercriminals. The ISA Global Security Alliance outlined in a report how automation is being used by ransomware groups in many parts of their operations, from running research and reconnaissance on potential victims to writing and sending out phishing emails to spreading the ransomware once it’s in a target’s IT environment.
Millions of Credentials, 140 Platforms
With Atlantis AIO, threat actors can use the tool to rapidly run millions of usernames and passwords across more than 140 platforms. It includes modules for specific services, including email such as Hotmail, Yahoo, AOL and GMX.
There are also modules for brute-force attacks on various services on these email accounts and for account recovery process for services like eBay and Yahoo that also enable attackers to bypass security measures like CAPTCHA.
The targets extend beyond email to include e-commerce sites, streaming services, VPNs, financial institutions and food delivery services.
“Once they gain access to accounts across various platforms, attackers can exploit them in multiple ways – e.g., selling login details on dark web marketplaces, committing fraud, or using compromised accounts to distribute spam and launch phishing campaigns,” the Abnormal Security researchers wrote. “These stolen credentials frequently appear on the same underground forums where tools like Atlantis AIO are sold.”
Accounts for Sale
They pointed to one example in which a cybercriminal advertised access to more than 220,000 compromised email accounts that list both personal and corporate addresses, “likely due to employees reusing passwords across personal and professional accounts.”
Atlantis AIO has been around for a while, with researchers with Sift, a company that uses machine learning in its fraud prevention platform, noting on LinkedIn last year that the tool – which they said also was known as Atlantis X – could be had for $150 and can make “ATO fraud at scale fast and easy.”
