Feds Announce Seizure of Domains Used for Selling Stolen Credentials and Conducting DDoS Attacks

The Department of Justice (DOJ) and the Federal Bureau of Investigation (FBI) have announced they have seized the domain weleakinfo.to, along with two related domains – ipstress.in and ovh-booter.com – that were being used to sell access to stolen personal information and for conducting distributed denial of service (DDoS) attacks on victim networks. The domain seizures came following an international law enforcement investigation into websites that facilitated the trafficking of stolen personal information and cyberattacks that disrupt legitimate online businesses.

There is a thriving market for stolen credentials. Sites such as weleakinfo.to provide cybercriminals with easy access to credentials that can be used to gain access to accounts and victim networks. weleakinfo.to contained more than seven billion indexed records, which included information such as names, email addresses, usernames, phone numbers, and passwords for online accounts. The data had been accumulated from more than 10,000 data breaches. The weleakinfo.to website provided a search engine and gave site users the ability to access the stolen personal information under a subscription model. For the duration of the subscription period, users were able to perform an unlimited number of searches of the database.

According to the announcement, the DOJ and the FBI seized the weleakinfo.to domain in January 2020 and also shut down a similar service provided at that website. Around the time when the site was taken down, police forces in Northern Ireland and the Netherlands arrested two men on suspicion of running the service, profiting from the sale of stolen personal information, and using malware in cyberattacks on businesses. According to the National Crime Agency in the United Kingdom, a further 21 arrests were made in connection to the site over purchases of stolen personal information and malicious cyber tools, and dozens of others received warnings from law enforcement agencies.

The DOJ and FBI also seized the ipstress.in and ovh-booster.com domains, which allowed users to conduct booter and stressor DDoS attacks. These attacks involve flooding websites with traffic to prevent legitimate users from accessing those websites.  The websites were seized in a coordinated law enforcement operation with the National Police Corps of the Netherlands and the Federal Police of Belgium.

How to Limit Harm from Data Breaches

In order to take advantage of online services, it is necessary to create an account and there is always a risk that the providers of those services may suffer a data breach. When a company detects a data breach, a password reset will be performed to prevent unauthorized account access; however, the credentials stolen in that breach can be used to try to gain access to other accounts.

Credential stuffing attacks involve using usernames and passwords from a data breach to try to gain access to accounts for other web services. They rely on individuals reusing usernames and passwords on multiple accounts. While the success rate may be low, credentials stuffing attacks provide attackers with access to enough accounts to make the attacks worthwhile.

Credential stuffing attacks can only succeed if usernames and passwords are reused on multiple accounts. The way to prevent these attacks from succeeding is to create a unique password for all online accounts and, if possible, to also create a unique username for each account. If multi-factor authentication is also enabled, it should prevent the credentials from being used to gain access to the account on the breached website.

While having a unique password and username for each account is great for security, it is not very practical, which is why so many people reuse passwords for multiple accounts. The easiest solution is to use a password manager. A password manager solution helps users create unique passwords for every online account via a strong password generator. All passwords are stored in the user’s password vault which means those passwords never need to be remembered. Whenever the user visits a website that requires them to enter their credentials, those credentials will be autofilled so they do not need to be typed. Users only need to create and remember one password or passphrase for their password vault. Some password manager providers, Bitwarden for example, also offer a secure username generator that allows unique usernames to also be created for each account for added security.

Author: Richard Anderson

Richard Anderson is the Editor-in-Chief of NetSec.news