The group uses millions of password combos at the rate of nearly 2,700 login attempts per minute with new techniques that push the ATO envelope.
A sophisticated fraud ring, dubbed Proxy Phantom, has pushed the boundaries of credential-stuffing attacks with a dynamic account takeover (ATO) technique that was flooding eCommerce merchants in the third quarter.
Researchers at Sift uncovered the group, which is innovating in the realm of large-scale, automated ATO attacks, they said. Specifically, Proxy Phantom specializes in using a massive cluster of connected, rotating IP addresses to automatically try more than 1.5 million stolen username and password combinations against various log-in screens. The third-quarter attacks affected dozens of online merchants, but the next targets could be in any number of sectors.
“The group flooded businesses with bot-based login attempts to conduct as many as 2,691 log-in attempts per second—all coming from seemingly different locations,” the researchers explained in a Thursday analysis. “As a result, targeted merchants … would be forced to play a supercharged, global game of whack-a-mole, with new combinations of IP addresses and credentials coming for them at an unthinkable pace.”
The username/password combos were likely purchased in bulk on the