Proxy Phantom: Fraud rings flood online merchants with credential stuffing attacks

Over 1.5 million stolen credential sets are being used by one fraud operation.
Written by Charlie Osborne, Contributing Writer

A massive fraud operation slamming e-commerce merchants in account takeover attacks has been revealed by researchers.

On Thursday, fraud prevention company Sift said the ring, dubbed Proxy Phantom, is using over 1.5 million sets of stolen account credentials in automated credential stuffing attacks against online merchants. 

Credential stuffing attacks generally rely on a database of stolen credentials -- potentially sourced from data breaches or data dumps leaked and sold online -- to slam a domain with login requests. 

Many of us use the same username and password combinations across different services -- although we shouldn't -- and so a data breach at one company could lead to account compromise at another. 

Estimates suggest that only 0.1% of credential stuffing attacks are successful. However, once you consider that thousands of account combinations could be tried at the same time, despite the low success rate, these attacks can still be worthwhile -- especially when they are used against merchants or financial services. 

According to Sift's Q3 2021 Digital Trust & Safety Index, Proxy Phantom "flooded businesses with bot-based login attempts to conduct as many as 2,691 login attempts per second." 

Connected, rotating IP addresses were also used to make the requests appear to stem from different geographical locations and primarily targeted e-commerce platforms and online services.  

The IP clusters doubled between April and June 2021.

"As a result, targeted merchants using rules-based fraud prevention methods would be forced to play a supercharged, global game of "whack-a-mole," with new combinations of IP addresses and credentials (likely purchased in bulk on the dark web) coming for them at an unthinkable pace," Sift said.

In addition, the report states that account takeover attacks detected by the company increased by 307% over Q3. Specifically, the financial sector is a top target, including cryptocurrency exchanges and digital wallet services. 

Earlier this month, Netacea published an index documenting the activities of scalper bots. These types of automated systems are built to beat online queues for high-ticket items such as concert tickets and gaming consoles in order to resell and generate a profit for their operators. 

In the past few months, the PlayStation 5, cryptocurrency mining cards, and Nvidia RTX 3000 series chips are highly sought by scalpers. 

Previous and related coverage

Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0

Editorial standards