Malware attacks against Linux systems are on the rise. And when it comes to bot malware, XorDDoS is the frontrunner.
The post Massive increase in XorDDoS Linux malware in last six months appeared first on Malwarebytes Labs.

Microsoft says it’s recorded a massive increase in XorDDoS activity (254 percent) in the last six months. XorDDoS, a Linux Trojan known for its modularity and stealth, was first discovered in 2014 by the white hat research group, MalwareMustDie (MMD).

MMD believed the Linux Trojan originated in China. Based on a case study in 2015, Akamai strengthened the theory that the malware may be of Asian origin based on its targets.

Microsoft said that XorDDoS continues to home on Linux-based systems, demonstrating a significant pivot in malware targets. Since Linux is deployed on many IoT (Internet of Things) devices and cloud infrastructures, we are likely to see DDoS (distributed denial-of-system) attacks from botnets that have compromised such devices.

DDoS attacks—where normal Internet traffic to a targeted server, service, or network is overwhelmed with a flood of extra traffic from compromised machines—have become part of a greater attack scheme. Such powerful attacks are no longer conducted just to disrupt. DDoS attacks have become instrumental in successfully distracting organizations and security experts from figuring out threat actors’ end goal: Malware deployment or system infiltration. XorDDoS, in particular, has been used to compromise devices using Secure Shell (SSH) brute force attacks.

XorDDoS is as sophisticated as it gets. The only simple (yet effective) tactic it uses is to brute force its way to gain root access to various Linux architectures.

As Microsoft said in the report:

> “Adept at stealing sensitive data, installing a rootkit device, using various evasion and persistence mechanisms, and performing DDoS attacks, XorDdos enables adversaries to create potentially significant disruptions on target systems. Moreover, XorDdos may be used to bring in other dangerous threats or to provide a vector for follow-on activities.”

XorDDos’s attack vector (Source: Microsoft)

**Security IoT devices**

If you have an IoT device at home, know there are ways to secure it. Note that you may need some assistance from the company who built your IoT device if you’re unfamiliar or unsure how to do any of the below.

*   Change your device’s default password to a strong one
*   Limit the number of IP addresses your IoT device connects to
*   Enable over-the-air (OTA) software updates
*   Use a network firewall
*   Use DNS filtering
*   Consider setting up a separate network for your IoT device(s)
*   When you’re not using your IoT device, turn it off.

If you plan to get an IoT device soon, buy from a well-known brand. You’re much more likely to get assistance from your supplier in beefing up your IoT device’s security.

Stay safe!

Massive increase in XorDDoS Linux malware in last six months

A DDoS campaign observed by Akamai from actors claiming to be REvil would represent a major pivot in tactics for the gang.

Concern has been raised that a coordinated distributed denial-of-service (DDoS) attack from a malicious actor could be associated with the notorious ransomware-as-a-service (RaaS) group REvil.  

According to a report from Akamai’s Security Intelligence Response Team (SIRT), the attack was aimed at one of Akamai’s hospitality customers. It consisted of a simple HTTP GET request, with a message demanding payment to a Bitcoin (BTC) wallet in exchange for stopping the attack. It also included an additional request for the company to stop operating in a specific country.

Given the request to stop operating in the geospecific location appeared to stem from a recent Supreme Court decision in that country, the attack took on a political flavor that Akamai analysts say would be a break with REvil’s earlier strategies.

“We haven’t seen them linked to hacktivism or political goals in any of the previously reported attacks,” according to Akamai.

On the technical front, the use of proxying capabilities and “fairly well” distributed IPs participating in the attack indicated that some level of coordination was required between the attacker and the proxying system, the Wednesday report notes.

And, due to the extensive use of MikroTik devices identified in the attacking sources, the report suggests the attack could be supported by the MikroTik-based Meris botnet, which also has links to REvil. That said, the low volume of requests per second (Rps) and relatively unsophisticated nature of the campaign are atypical of Meris attacks, the report notes.

**REvil Redux?**

Since being reportedly dismantled by the Russian government earlier this year, there have been hints that REvil – or at least some previous members of the gang – is putting itself back together.

In April, anti-malware firm Avast revealed that the company's software had blocked a ransomware sample that appeared to be generated using information that only previous members of the REvil group could have accessed. The discovery of the file came more than a week after cybersecurity firm Emsisoft revealed that the Web address of REvil's leak site now points to a new host, using both the REvil name and claiming to have compromised a US university and an oil company in India.

Then in March, security firm Imperva reported mitigating a ransom DDoS attack tied to the Meris botnet measuring 2.5 million requests per second (Mrps). It included a series of ransom notes received by the customer that also claimed it came from REvil.

While DDoS has been used in the past by some groups as an extra layer of pressure on ransomware victims to pay up, in both the March incident and this latest case, the attack is pure-play DDoS.

"We haven't seen ransomware linked to these campaigns. The only tie to ransomware is the naming of REvil in the extortion demands," says SIRT engineer Chad Seaman.  

But as to whether this latest incident means that REvil is truly back and testing out new techniques, Seaman is skeptical.

"I don't feel there are strong indicators here that this is indeed a resurgence of REvil,” he says. “Even in the prior reported campaigns, I don't believe there are strong indicators that positively attribute those attacks to REvil in reality."

For instance, the alert also pointed out that the BTC wallet does not have any previous connection to REvil. And the gang has maintained in the past that it is purely profit driven, after all.

Seaman says the threat is more likely to stem from a copycat group looking to leverage REvil’s notoriety.

**DDoS Extortion: A New Avenue for Fear**

He added that be it REvil or someone leveraging the name or reputation, the attack is clearly a play on fear in the hopes of easy money, so the most concerning takeaway from Akamai’s investigation is the fear and panic associated with the threat.

“This is the goal of these types of attacks: to scare the victim into paying, lending credibility to the threat using a scary name,” he explained. “When these campaigns spin up and start to get press, it's typically followed by a surge of copycats.”

From Seaman’s perspective, the publishing of reports like these requires a delicate balance of notifying the public of the threat without the threat turning into a wildfire of copycats.

“We're hoping to help raise awareness while ramping down the associated fear because if we don't get out in front of these types of campaigns and fear-based reporting outpaces sane analysis, it only serves to fuel the fire, not fight it,” he said.

DDoS Extortion Attack Flagged as Possible REvil Resurgence

Verizon's "2022 Data Breach Investigations Report" repeatedly makes the point that criminals are stealing credentials to carry out their attacks.

Credentials, phishing, exploiting vulnerabilities, and botnets "pervade all areas of the DBIR, and no organization is safe without a plan to handle them all," Verizon's team of researchers wrote in this year's "Data Breach Investigations Report."

Attackers don't have to bother with zero-day vulnerabilities or build out elaborate attack tools when they can just steal credentials and log right in. Whether the report is looking at Web application attacks, email scams such as business email compromise, or malware, the theme was consistent: Stolen credentials played a role. 

DBIR is chock-full of charts and visualizations, so it is difficult to pick just one -- though the chart about what types of data attackers are stealing is a particularly striking. For a long time, criminals were interested in personal data -- data that could be used for identity theft or other types of financial fraud. While that is still the case, that is not the complete story. Attackers are focusing heavily on obtaining stolen credentials, since those credentials make carrying out other attacks even easier and harder to detect. The report considers 180 different actions that lead to data breaches, and the use of stolen credentials is the most common.

"We've long held that credentials are the favorite data type of criminal actors because they are so useful for masquerading as legitimate users on the system," the report says.

Consider how ransomware gets onto the targeted system: 40% of ransomware incidents involve the use of desktop sharing software, such as remote desktop protocol. And the easiest way to access RDP is via weak passwords.

While third-party breaches represent just 1% of breaches in the 2022 dataset, about half of them involved the use of stolen credentials. 

Phishing and stolen credentials were the top two actions in data breaches involving social engineering attacks. The third is "pretexting," almost all of which are business email compromises. A quarter of BECs used stolen credentials against the victim organization, according to the report.

And finally, in the area of web application attacks, the vast majority of incidents use stolen credentials as their entry point. Over 80% of the breaches that was categorized under web application attacks in this year's DBIR can be attributed to stolen credentials. In comparison, the second most common action, exploiting vulnerabilities, is less than 20%.

"There’s been an almost 30% increase in stolen credentials since 2017, cementing it as one of the most tried-and-true methods to gain access to an organization for the last four years," the report says.

"Even if passwordless authentication isn't ready for prime time in your organization, the report findings can be used to help fund and implement multi-factor authentication," says Rick Holland, CISO and vice-president of strategy at Digital Shadows.

DBIR Makes a Case for Passwordless

By Waqas
The trove of data was leaked due to a misconfigured Elasticsearch server and in total it stored 870…
This is a post from HackRead.com Read the original post: Personal Data of Tens of Millions of Russians and Ukrainians Exposed Online

The trove of data was leaked due to a misconfigured Elasticsearch server and in total it stored 870 million records or 147 GB of data.

SafetyDetectives security team led by Anurag Sen shared details of a misconfigured Elasticsearch server that exposed the data of millions of loan applicants. The data mainly belonged to people from Ukraine, Kazakhstan, and Russia who had applied for microloans.

The server was detected randomly on December 5th, 2021, while checking certain IPs however the details of it have only been shared this week. The anonymous server was left unsecured and unprotected as it didn’t have any authentication protocols, which led to the leaking of more than 870 million records or 147GB of data.

**Owner Identity Yet Not Available**

SafetyDetectives couldn’t determine who owned the server. However, researchers noted that customer logs of numerous microloans providers’ websites were stored on the server, but most weren’t financial services like lenders or banks. Instead, these websites were of third parties that are intermediaries between the loan company and the applicant.

Most entries in the server’s logs were in the Russian language, while most data belonged to Russians. Therefore, researchers concluded that the server’s owner is a Russian entity.

**Details of Exposed Data**

According to SafetyDetectives researchers, different forms of personally identifiable information (PII) and sensitive user data got exposed in this leak, including details of users’ “internal passports” and other forms of data.

It is worth noting that In Russia and Ukraine, internal passports are used as the substitute for national IDs and are used within the country’s territories. According to SafetyDetectives’s blog post, the internal passport details contained in the exposed server include the following information of users:

*   Gender
*   Marital status
*   Date and place of birth
*   The physical address, including city and region
*   Full name with first name, last name, and patronymic name
*   Passport number with issue/expiry dates and serial number

Some of the exposed data, such as cities, names, addresses, and issued by locations, were written in Cyrillic script, which is primarily used in some parts of Asia and Europe.

In some instances, this information was decoded into certain symbols. Other PII details exposed by the unsecured server include the following:

*   Salary
*   Child count
*   Loan details
*   Mobile numbers
*   Email addresses
*   Employment status
*   Education information
*   Login OTP SMS codes
*   INN (tax identification numbers)

**How Many Users Impacted?**

Around 10 million users are expected to be affected by this exposure. Many server logs and passport numbers belonged to Russians, while most INNs belonged to Ukrainians. The server was located in Amsterdam, the Netherlands.

SafetyDetectives contacted the Russian CERT on December 14th, 2021, and the Dutch CERT on December 30th, 2021. However, both refused to help. The server’s hosting firm was contacted on January 13th, 2022, which secured the server the same day.

**Potential Dangers**

Considering the extent and nature of exposed data, the incident can have far-reaching implications. Such as bad actors can download the data and carry out identity theft, phishing scams, scam marketing campaigns, and microloans identity fraud.

**More Elasticsearch database Mess Ups**

1.  9,517 unsecured databases identified with 10 billion records globally
2.  New malware attack turns Elasticsearch databases into DDoS botnet
3.  Stripchat database mess up exposes 200M adult cam models, users’ data
4.  US and China Exposed Most Databases Among 308,000 Discovered in 2021
5.  Misconfigured ElasticSearch Servers Exposed 579GB of Users’ Website Activity

I am a UK-based cybersecurity journalist with a passion for covering the latest happenings in cyber security and tech world. I am also into gaming, reading and investigative journalism

Personal Data of Tens of Millions of Russians and Ukrainians Exposed Online

Fronton botnet has far more ability than launching DDOS attack, can track social media trends and launch suitable propaganda.

Fronton botnet has far more ability than launching DDOS attack, can track social media trends and launch suitable propaganda.

A fresh look at the Fronton DDoS-focused botnet reveals the criminal tool has more capabilities than previously known.

The Fronton botnet first made the headline in March 2020. That is when, according to news reports, a hacktivist group called Digital Revolution said it obtained documents claiming to be from 0day Technologies, allegedly a contractor for Russia’s Federal Security Service.

Now the cybersecurity firm Nisos is reporting the Fronton malware goes beyond delivering DDoS attacks and can be used to create massive numbers of social media accounts that can then be used to shape opinion via social media manipulation.

After further analysis of the documents related to Fronton, the Nisos researcher assert that DDoS “is only one of the many capabilities of the system… Nisos analyzed the data and determined that Fronton is a system developed for coordinated inauthentic behavior on a massive scale,” Nisos added.

****Working of Fronton****

Fronton, researchers say, doubles as a backend infrastructure for the social media disinformation. The malware uses an army of compromised IOT devices to carry out both DDoS attacks and disinformation campaigns.

“This system includes a web-based dashboard known as SANA that enables a user to formulate and deploy trending social media events en masse. The system creates these events that it refers to as Инфоповоды, ‘newsbreaks,’ utilizing the botnet as a geographically distributed transport,” according to researchers.

SANA allows users to create fake social media accounts with generated email and phone numbers, these fake accounts are used to spread content across social networks, blogs and forums, researchers said.

“SANA creates social media persona accounts, including provisioning of an email and phone number,” Nisos explained.

Additionally, researchers note that the platform allows users to control the number of likes, comments, and reactions. As well as provide the “facilities for creating these newsbreaks on a schedule or a reactive basis”, this will track the messages, trends, and their responses.

A response model is specified to perform certain actions after the execution of the Newsbreak. The response model allows the group of bots to react to a piece of particular news in a certain fashion (positive, negative, or neutral), according to the report.

“The response model allows an operator to specify weekly frequency of likes, comments, and reposts. It also allows for the selection of comments from the dictionary lists in order to direct the response patterns of the virtual social group,” Nisos added in a report.

The operators can also specify a minimum frequency of actions and a minimum interval between actions. The researcher also found the platform has “a machine learning (ML) system involved that can be turned on or off based on behavior observed on social media.”

The researcher added that Fronton operators have the capability to control the number of friends a fake bot should maintain, and integrate with a feature to store imagery for the bot.

The usage of the tool in real-world attacks is not clear, and as of April 2022, the web portal is active and moved to a different domain.

“As of April 2022, 0day technologies has changed its domain from 0day\[.\]ru to 0day\[.\]llc,” Nisos noted.

Nisos released a complete research report for further analysis.

Fronton IOT Botnet Packs Disinformation Punch

Analysts have seen a massive spike in malicious activity by the XorDdos trojan in the last six months, against Linux cloud and IoT infrastructures .

Cybercriminal use of the Linux Trojan known as XorDdos is on the rise, according to a new report, which found a 254% increase in malicious activity against Linux endpoints using the malware over the last six months. 

It was first discovered in 2014, and the Microsoft 365 Defender Research Team explained in a recent blog post that the XorDdos Trojan targets Linux cloud and Internet of Things (IoT) endpoints, and deploys botnets to carry out distributed denial-of-service (DDoS) attacks. 

The team added that the attacks fit a wider trend of attacks targeting Linux-based systems. 

"By compromising IoT and other internet-connected devices, XorDdos amasses botnets that can be used to carry out DDoS attacks," the team wrote in describing the rise of the XorDdos Trojan. "DDoS attacks in and of themselves can be highly problematic for numerous reasons, but such attacks can also be used as cover to hide further malicious activities, like deploying malware and infiltrating target systems."

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

Linux Trojan XorDdos Attacks Surge, Targeting Cloud, IoT

By Waqas
The Pro-Russia Hacker Group Killnet recently targeted European institutions, while Anonymous hackers are already claiming to have leaked…
This is a post from HackRead.com Read the original post: Anonymous Declares Cyber War Against Pro-Russia Hacker Group Killnet

The Pro-Russia Hacker Group Killnet recently targeted European institutions, while Anonymous hackers are already claiming to have leaked the group’s personal information in a database dump.

The Anonymous hacktivists collective announced declaring cyberwar against pro-Russia hackers Killnet. The hacktivist group posted about this recent development on their Twitter handle, @YourAnonOne. The tweet read:

“The #Anonymous collective is officially in cyberwar against the pro-Russian hacker group #Killnet.”

Shortly after posting the tweet, Anonymous revealed that the official website of Killnet (Killnet.ru) was taken offline. Anonymous later posted that Killnet’s user database has also been leaked online.

“Pro Russian hackers group KillNet user database is leaked online by #Anonymous. LOL,” wrote @AnonOpsSE.

As seen by Hackread.com, the leaked database contains 146 email address and their plain-text passwords.

Tweets from Anonymous and alleged database leak (Image: Hackread.com)

**Why Anonymous Furious at Killnet?**

This act could be in response to the warning issued by cybersecurity agencies in the UK, USA, Canada, New Zealand, and Australia, citing that pro-Russian hackers may soon target organizations outside of Ukrainian borders.

It is worth noting that the FVEY (Five Eyes Alliance) published a threat assessment report yesterday. The organization revealed that numerous Russian government-sponsored and other hacker groups have vowed to support Russia.

The same report claimed that these groups could target Western critical national infrastructure organizations. Some identified cybercrime groups included DDoS attackers Killnet, CoomingProject, Sality botnet fame Salty Spider, and Emotet operators Mummy. Hence, Anonymous wants to disrupt Killnet’s attacking capabilities that have intensified in Europe recently.

**Killnet Claims They’re “Ordinary People”**

In an interview with the Russian news network RT, Killnet explained their version of ongoing events. In its interview given in the Russian language, the group claimed that it comprises “ordinary people from all over Russia who stood up to defend their country.”

> “We have always been hated . First, it was the “terrible” empire, then the “bad” Soviet Union, and now it’s the “evil” Russia.” DDoS is the face of our project. Behind the scenes lies a huge amount of work on an invisible front. This is the calculation of the positions of the Armed Forces of Ukraine, hacking enemy systems, monitoring and collecting information, as well as capturing control systems.
> 
> Killnet

Killnet on Telegram

**Killnet’s Recent Hacking Spree**

Killnet specializes in DDoS attacks and has recently targeted websites of numerous Italian government ministries and institutions, including the country’s customs agency, foreign affairs department, culture and heritage ministry, education ministry, and the superior council of the judiciary.

This hacking spree occurred in early May, while on 16 May, Killnet attacked the Italian upper house of parliament, the Automobile Club d’Italia, and the National Health Institute. In April, Killnet attacked the Romanian government-owned websites, including the Ministry of Defense, with DoS attacks originating from Russia.

The pro-Russia group has also attacked the websites of the governments of the USA, the Czech Republic, Estonia, Poland, and other NATO members.

**More Anonymous Attacks on Russia News**

1.  DDoS Attacks by Hacktivists Disrupted Russian Alcohol Supply Chain
2.  Anonymous sent 7 million texts to Russians & hacked their security cams
3.  Russian TV Schedules Hacked on Victory Day to Show Anti-War Messages
4.  Confirmed: Anonymous Hacks Central Bank of Russia; Leaks 28GB of Data
5.  Anonymous & its affiliates hacked 90% of Russian misconfigured databases

I am a UK-based cybersecurity journalist with a passion for covering the latest happenings in cyber security and tech world. I am also into gaming, reading and investigative journalism

Anonymous Declares Cyber War Against Pro-Russia Hacker Group Killnet

Fronton, a distributed denial-of-service (DDoS) botnet that came to light in March 2020, is much more powerful than previously thought, per the latest research.
"Fronton is a system developed for coordinated inauthentic behavior on a massive scale," threat intelligence firm Nisos said in a report published last week.
"This system includes a web-based dashboard known as SANA that enables a user

Fronton, a distributed denial-of-service (DDoS) botnet that came to light in March 2020, is much more powerful than previously thought, per the latest research.

"Fronton is a system developed for coordinated inauthentic behavior on a massive scale," threat intelligence firm Nisos said in a report published last week.

"This system includes a web-based dashboard known as SANA that enables a user to formulate and deploy trending social media events en masse. The system creates these events that it refers to as Инфоповоды, 'newsbreaks,' utilizing the botnet as a geographically distributed transport."

The existence of Fronton, an IoT botnet, became public knowledge following revelations from BBC Russia and ZDNet in March 2020 after a Russian hacker group known as Digital Revolution published documents that it claimed were obtained after breaking into a subcontractor to the FSB, the Federal Security Service of the Russian Federation.

Further investigation has traced the analytical system to a Moscow-based company known as Zeroday Technologies (aka 0Dt), with links identified to a Russian hacker by the name of Pavel Sitnikov, who was arrested in March 2021 on charges of distributing malicious software via his Telegram channel.

Fronton functions as the backend infrastructure of the social media disinformation platform, offering an army of compromised IoT devices for staging DDoS attacks and information campaigns by communicating with a front-end server infrastructure over VPNs or the Tor anonymity network.

SANA, on the other hand, is designed to create fake social media persona accounts and manufacture newsbreaks, which refer to events that create information "noise" with the goal of shaping online discourse by means of a response model that allows the bots to react to the news in a "positive, negative, or neutral fashion."

What's more, the platform enables the operators to control the amount of likes, comments, and reactions a bot account can create as well as specify a numeric range of the number of friends such accounts should maintain. It also incorporates an "Albums" feature to store imagery for the bot accounts.

It's not immediately clear if the tool was ever used in real-world attacks, whether be it by the FSB or otherwise.

The findings come as Meta Platforms said it took steps against covert adversarial networks originating from Azerbaijan and Iran on its platform, by taking down the accounts and blocking their domains from being shared.

Cybersecurity company Mandiant, in an independent report published last week, revealed that actors aligned with nation-states such as Russia, Belarus, China, and Iran have mounted "concerted information operations" in the aftermath of Russia's full-scale invasion of Ukraine.

"Russia-aligned operations, including those attributed to Russian, Belarusian, and pro-Russia actors, have thus far employed the widest array of tactics, techniques, and procedures (TTPs) to support tactical and strategic objectives, directly linked to the conflict itself," Mandiant noted.

"Meanwhile, pro-PRC and pro-Iran campaigns have leveraged the Russian invasion opportunistically to further progress long-held strategic objectives."

Found this article interesting? Follow THN on Facebook, Twitter __ and LinkedIn to read more exclusive content we post.

Fronton: Russian IoT Botnet Designed to Run Social Media Disinformation Campaigns

Today, Talos is publishing a glimpse into the most prevalent threats we've observed between May 13 and May 20. As with previous roundups, this post isn't meant to be an in-depth analysis. Instead, this post will summarize the threats we've observed by highlighting key behavioral characteristics,...


[[ This is only the beginning! Please visit the blog for the complete entry ]]

Threat Roundup for May 13 to May 20

To succeed against dynamic cybercriminals, organizations must go multiple steps further and build a learning system that evolves over time to keep up with attacker tactics.

Identity is the new currency, and digital adversaries are chasing wealth. According to Verizon's "Data Breach Investigations Report," 61% of data breaches can be traced back to compromised credentials. Why? Breaking into systems with legitimate user credentials often enables attackers to move undetected across a network for intelligence gathering, data theft, extortion, and more.

Access control is foundational to defending systems, but like any tool, it has its limits. Motivated attackers try to find ways around the edges of access control systems to gain access to accounts. Many companies have invested in anti-fraud technologies to detect and mitigate these types of attacks against high-value targets, such as login and payment flows.

However, fraudsters' tactics can work equally as well in areas beyond login and payment flows. Therefore, we see persistent attackers who now target "identity construction" systems like provisioning, device enrollment, password reset, and other account management systems.

Because these identity provider systems establish the basis for all access control, they are now attracting dedicated attention from cybercriminals. For example, LockBit, Avaddon, DarkSide, Conti, and BlackByte ransomware groups are all utilizing initial access brokers (IABs) to purchase access to vulnerable organizations on Dark Web forums. IABs have grown in popularity within the last couple of years and are significantly lowering the barriers to entering the world of cybercrime.

**An Uptick in Identity-Related Attacks  
**Recent attacks and extortion attempts on major third-party software like Okta and Microsoft are clear examples of the damage that can be done when compromised credentials are used to carry out account takeover (ATO) attacks. The Lapsus$ ransomware group conducted all of their ATO activity using stolen credentials that were obtained using unconventional and sophisticated means. Recent news suggests that the group continues buying compromised account credentials until it finds one with source code access.

While all online accounts are vulnerable to ATO fraud, bad actors tend to target accounts they consider highly valuable, like bank accounts and retail accounts with stored payment information. Bad actors typically will use automated tools such as botnets and machine learning (ML) to engage in massive and ongoing attacks against consumer-facing websites. With automated tools, they commit ATO fraud using techniques such as credential stuffing and brute-force attacks, as shown by Lapsus$.

However, fraudsters don’t always use automated tools for ATO fraud. They can gain access through phishing, call-center scams, man-in-the-middle (MITM) attacks, and Dark Web marketplaces. Some have even been known to employ human labor ("click farms") to manually enter login credentials so that the attacks go undetected by tools that look for automated login attempts. Nevertheless, ATO is now the weapon of choice for many fraudsters, perhaps accelerated by the pandemic, with attempted ATO fraud rising 282% between 2019 and 2020.

Identity-based fraud can be extremely difficult to detect considering the advanced tactics and randomness of different crime groups. Most of the breaches we hear about in the news are a result of businesses relying on automated access control tools rather than tracking user accounts to detect unusual behavior quickly.

**Access Control Layers Are Not Enough  
**Historically, access control implements authentication and authorization services to verify identity. Authentication focuses on who a user is. Authorization focuses on what they should be allowed to do.

These types of access control layers are a good first defense against identity-based fraud, but as made evident in recent attacks like Okta and Microsoft, fraudsters can bypass these tools fairly easily. There must be a second line of defense in the form of a detection system that learns and adapts. Therefore, companies should consider going beyond who a user is and what they are allowed to do, and ensure your identity system monitors and learns from what the user _is actually doing._

**The Need for a More Dynamic System  
**Many of the techniques that cybercriminals use lie at the intersection of security and usability. Simply looking at either security or usability misses the point. If we look only at how the security protocol _should_ work, we miss the point of how users will realistically use it. And if we only think about how to make it easy to use, we miss how to keep the bad people out. The protection layer from access control establishes the "allowed/not allowed" decision, but it should be backstopped by another layer of detection that observes and learns based on how the system is used and attempts at misuse. This second layer's job includes identifying the tactics used to takeover accounts through brute force, redirection, tampering, and other means.

As mentioned above, authentication is a static set of something you know, something you are, and something you have. But in a war against attackers that are dynamic, a static "shield" doesn’t do much for the sake of defense. To address this gap, a robust learning system is required to identify and block dynamically changing attacker tactics.

Companies are investing in identity graph technologies for many authentication and high-value flows. Identity graphs are a real-time prevention technique that collects data on more than a billion identities, including personas and behavior patterns, so that security teams can quickly identify unusual behavior from user accounts. \[Note: The author's company is one of a number using identity graph technology.\] With this type of real-time, data-driven approach, teams can identify behavior and activities generated from automated tools like bots and ML algorithms and can detect unusual behavior before it causes any damage, such as theft or fraudulent purchases.

To succeed against dynamic cybercriminals, organizations must go multiple steps further and build a learning system that evolves over time to keep up with attacker tactics. Identity graph technologies can help organizations recognize attacker tactics across the whole identity life cycle, including provisioning and account maintenance. These techniques can ebb and flow with the sophisticated threat landscape we're witnessing today.

Tag

#botnet