Innovative Proxy Phantom ATO Fraud Ring Haunts eCommerce Accounts

The group uses millions of password combos at the rate of nearly 2,700 login attempts per minute with new techniques that push the ATO envelope.

A sophisticated fraud ring, dubbed Proxy Phantom, has pushed the boundaries of credential-stuffing attacks with a dynamic account takeover (ATO) technique that was flooding eCommerce merchants in the third quarter.

Researchers at Sift uncovered the group, which is innovating in the realm of large-scale, automated ATO attacks, they said. Specifically, Proxy Phantom specializes in using a massive cluster of connected, rotating IP addresses to automatically try more than 1.5 million stolen username and password combinations against various log-in screens. The third-quarter attacks affected dozens of online merchants, but the next targets could be in any number of sectors.

“The group flooded businesses with bot-based login attempts to conduct as many as 2,691 log-in attempts per second—all coming from seemingly different locations,” the researchers explained in a Thursday analysis. “As a result, targeted merchants … would be forced to play a supercharged, global game of whack-a-mole, with new combinations of IP addresses and credentials coming for them at an unthinkable pace.”

The username/password combos were likely purchased in bulk on the

Read More: