One Million IP Addresses Used In Brute-Force Attack On A Bank

Cisco says in just one week in February they detected 1,127,818 different IP addresses being used to launch 744,361,093 login attempts on 220,758,340 different email addresses -- and that 93% of those attacks were directed at two financial institutions in a massive Account Takeover (ATO) campaign. An anonymous reader writes: Crooks used 993,547 distinct IPs to check login credentials for 427,444,261 accounts. For most of these attacks, the crooks used proxy servers, but also two botnets, one of compromised Arris cable modems, and one of ZyXel routers/modems. Most of these credentials have been acquired from public breaches or underground hacking forums. This happened before the recent huge data breaches such as MySpace, LinkedIn, Tumblr, and VK.com.
It's apparently similar to the stolen-credentials-from-other-sites attack that was launched against GitHub earlier this week.

I'm surprised this isn't happening more often

[damn_registrars]

My own personal (as in, at home hosted on a cable modem) web server used to get these same kinds of distributed dictionary attacks, botnet attempts to gain access to whatever they can. There were times when I would see this type of thing almost once a month or so; then it started to taper off and I haven't seen it in some time. I figured the botnets were just doing other things (or had decomposed).

And yes, I acknowledge that there is nothing important about my web server. I figured the botnets just occasionally go through every IP address they can find that accepts ssh connections and my number comes up every so often. I've never seen an IP address come up in both my web and ssh logs.

And yes, I know I can do more to prevent this. People offer up plenty of suggestions. Frankly I don't care, and I actually enjoy seeing tons of blocked ssh traffic in my logs from time to time. As you might expect the vast overwhelming majority of traffic is Chinese script kiddies attempting dictionary attacks as root; I don't care about those as I don't allow remote root. I find the distributed, phone book, and distributed phone book attacks much more interesting. They even give me a chance to tune up my cron jobs that parse my server logs :)

Re:I'm surprised this isn't happening more often

[pepsikid]

Yeah, one of the perks of running servers on a residential line is seeing firsthand all of the exploits. I'm fond of decrypting those mime-encrypted javascripts embedded in urls and finding the patebin page or hostname which it tries to fetch more scripts from; getting that shiat reported. If I were evil, i could build quite a library of exploits to use on others. They just send me these things haha!

Re:I'm surprised this isn't happening more often

[pepsikid]

I have my own cloud. I save on electricity by packing multiple servers into one box which is on 24/7 anyway. Having the servers physically located beside me relieves me of further concern that my hardware, website or forum might be seized or MitM'd. Also, the HOA can't sweet-talk some meddling corporation into kindly muzzling "that scofflaw." :)

Re:Internet of Thieves

[spire3661]

"Self driving doesn't have to be connected." For the most part yes it will be forced. Your vehicle will be connected to the road, other cars (V2V) and the internet, possibly on separate links. The vehicle will only operate once authenticated by the road. To be road authenticated you will have to running the most current version of software, which will be updated very frequently. The future of driving is bleak and glorious all at the same time.