Vigilante discovered an emerging threat actor group attacking large online retailers using brute force checkers with large, frequently updated combo lists of login credentials. Their method of attack consists of developing and then deploying a proprietary brute force checker with an email/password combination list of approximately 200,000 individuals that they acquired and put together from various data breaches.

  • Armed with access to the account, the attackers can acquire customers’ personally identifiable information, that may include name, password, email and postal addresses, telephone number, last four digits of the credit card number, CVV, and card expiration date. They can then either commit the fraud themselves or turn around and sell these confirmed and active accounts at a premium on underground Dark Web forums.
  • Of the 200,000 accounts, the attacks usually yield a positive hit rate of about 300 accounts with recycled and reused passwords. Although obtaining 300 sets of working credentials out of 200,000 may seem like a low success rate in terms of percentage, when you realize what access to 300 accounts can accomplish, the group’s method appears to be cheap to operate and lucrative.

Vigilante also gleaned insight into the group’s use of Private Keeper, a proprietary tool that is favored within certain exclusive underground communities. What makes these threat actors’ approach noteworthy is that not only did their combo list incorporate credentials from some relatively recent data breach dumps—such as Canva, Houzz, and Zynga—but they also refresh their combo lists every 48 hours before re-running their brute force attacks. Given the number of data dumps and combo lists we see every day on dark web forums and marketplaces, the possibilities are endless for attacking numerous retailers or firms with several and frequently updated combo lists.

The screenshot below demonstrates how a gift card ordered from a compromised customer account was re-routed to a threat actor’s email address:


The amount of personal information criminals can compile on you is significant if they can gain access to accounts where firms store your information for loyalty reward programs or other purposes. Vigilante offers a couple of tips to protect your passwords and to ensure your old passwords haven’t been hacked:

  • Install password manager software on your system and use it to change the passwords to your accounts. Using a password manager enables you to use stronger passwords without having to worry about remembering them.
  • Routinely check your bank and credit card statements and your explanation of benefits from any health insurer. Report suspicious charges promptly, and keep in mind that not all businesses know when they or their customers have had data exposed. Do not count on notifications to trigger caution on your part.
  • Get a handle on your digital footprint; know exactly to which retailers you have provided your data. You can run a search on yourself to see which of your personal details are available to anyone with a simple search on your name; use multiple search engines to see if any of your information appears somewhere that it shouldn’t.