A Russian hacker group is suspected of having launched targeted attacks against numerous US tech giants. Security researchers reportedly intercepted configuration files used in the attacks, which revealed that the hackers were using Russian servers and were speaking in Russian while communicating in online chats.
The hackers are believed to have been stealing user credentials from around 85 companies, including Amazon, American Airlines, Apple Pay, AT&T, Best Buy, DropBox, Dunkin' Donuts, Ebay, GoDaddy, Match.com, McDonald's, Office Depot, PayPal, Pizza Hut, Steam, Uber and Wells Fargo.
According to darknet investigator Ed Alexander, who provided the information to the Epoch Times, when targeting Apple Pay the hackers "captured card numbers and full identities" of users.
The stolen data included personal information, such as answers to questions asked by password recovery user authentication systems. "When I saw this file earlier this week, I took my iPhones off Apple Pay," he said.
Alexander said he found customised cyberattack files, designed to specifically target each company and contained individual configurations for a black market credential-cracking tool known as Sentry MBA, which is considered to be a popular credential stuffing tool commonly used by hackers.
According to cybersecurity researchers at Shape Security: "In the case of credential stuffing, the most commonly used standalone management tool we have observed enabling attacks is called Sentry MBA. A Sentry MBA config file contains, among other items, the URL for a website's login page, field markers to help navigate form elements, and rules for valid password constructions. A number of forums offer a wide variety of working configurations for various websites."
The identity of the cybercriminals believed to be perpetrating the attacks remains unclear. It is also unclear if the hackers have any links to foreign governments. Adding to the uncertainty is whether the cybercriminals are motivated by financial gain, in which case stolen credentials may end up for sale on the dark web, or if the attacks are part of an elaborate cyberespionage campaign.
IBTimes UK has contacted darknet investigation security group DBI (DarkNet BlackOps Intelligence), which currently employs Alexander, for further information and comment about the attacks and is awaiting a response.