Akamai Diversity

The Akamai Blog

CSIRT Warns of More Account Checker Fraud

The following was written by CSIRT Manager Mike Kun:

While investigating an attack against an Akamai customer, Akamai's CSIRT discovered a server hosting a web-based attack tool -- a variant of the account checker tool first discovered in 2012.
Account checkers are web-based files or scripts used by credit card fraudsters to quickly validate if any user ID/password pairs they have acquired are actually valid. Lists can be acquired from compromised websites and many are freely traded, bought and sold on black market forums.

Account checker scripts automate the process of credential validation and allow the group to check their lists against multiple sites. In the past we have seen these groups take over a customer's account and make fraudulent purchases with either rewards points or stolen credit cards. This recent tool, like the one we learned of before,  appears to be widespread inside of carder communities associated with SE Asia.

We're still analyzing this version of the account checker script, but based on what we know from before, the script simply crafts a request to a log-in page with an email address and password, returning either success or failure. The script can iterate through a list of proxies to disguise its origin and attempt to evade network blocklists, so static IP blocking is of limited use. Additionally, it randomizes the User-Agent string from a list of hundreds of possible options, to further obfuscate itself from valid traffic.

The best countermeasures we've seen involve rate accounting and blocking. The script relies on speed to check long lists of accounts very quickly. This means the traffic is very high and very noisy. Rate accounting can easily pick up these spikes and block the offenders.

Other indicators of compromise include:
• Large number of failed login attempts from a few IP addresses
• Multiple customer accounts being modified in a short time frame
• Changes to customer email addresses, often to a single mailing address
• Sudden change in purchasing habits, particularly a customer suddenly buying a large number of gift cards.

We have been able to create an Akamai custom WAF rule for this specific account checker. Customers can contact their account teams to get this rule activated for their configuration.

Any questions on account checkers can be sent to the Akamai CSIRT team: csirt@akamai.com.

1 Comment

I'm having a hard time finding the significance here.. These are common place. Are you familiar with APINO1 DOT NET? As of late it's offline, and there is speculation that it's been shutdown or moved but this script you speak of is essentially the same thing. if your min rate limit is say 1 second they will hit you at 1.1. As you guys pointed out, captcha is necessary.