Level 75

The perils of password re-use have been laid bare with the discovery of a botnet dedicated to finding account credentials on websites and testing the logins it finds on banks.

The work is clever since it avoids tripping botnet detection and brute force rate limiters in place at most security-savvy banks, but absent across the wider web.

It is likely to work too: wholly unscientific statistics indicate password reuse is a lazy habit of anywhere from 15 percent to 60 percent of users, possibly more.

Antiquated mandatory corporate password resets further pushes users to select easy and reused passwords, rather than remember a complex and unique one, or employing password lockers.

News of the password-purloining practice appeared in security firm ThreatMetrix's new cybercrime report (PDF).

That document says botnet attacks have evolved from just being large volume distributed denial of service (DDoS) or spam attacks, to low-and-slow bots, designed to evade rate and security control measures and mimic trusted customer behavior and login patterns.

"Once the fraudsters get a new list of user credentials from the dark web they launch a series of attacks targeting multiple sites to run massive credential testing sessions," researchers wrote.

"These attacks result in huge spikes over a couple of days with sustained transaction levels of over 200 transactions a second as they slice down the list.

Full Article. Password reuse bot steals creds from weak sites, logs in to banks