Automatic Hacking Machine Uses Millions Of Stolen Passwords To Attack
Atlantis AIO is an automatic hacking machine.
getty
Don't say you weren't warned. The threat from infostealer malware has been made pretty clear as billions of passwords are reported compromised, 85 million of the newest being used in ongoing attacks, and even two-factor authentication in isolation might not be enough to save you as hackers use session cookies to bypass 2FA code protections. That threat has just been amplified by a report revealing how an automatic hacking machine called Atlantis AIO is using millions of stolen passwords to gain access to email, VPN, streaming services and even food delivery accounts.
Credential stuffing is not new; let's make that clear right from the start. However, it is a very dangerous attack methodology and is becoming increasingly so. Attackers are always looking to develop new tools that can help them carry out their attacks, as I reported March 15 after leaked Black Basta ransomware group internal chat logs revealed how it was using an automated brute-force attack framework. As both brute-force and credential stuffing terms suggest, these attacks essentially hammer an account with as many usernames and password combinations as possible in the hope that one will be correct and gain entry. OK, so that's the simplified explanation, but by using lists of stolen or compromised credentials readily available from dark web marketplaces and in various criminal forums, it's possible for hackers to access other accounts that share the same passwords.
A March 25 threat intelligence report from Abnormal Security has sounded the alarm about an automatic hacking machine, known as Atlantis AIO, that can take these millions of stolen passwords and use them in just such credential stuffing attacks.
'Atlantis AIO has emerged as a powerful weapon in the cybercriminal arsenal,' Abnormal Security analysts said, 'enabling attackers to test millions of stolen credentials in rapid succession.' Where Atlantis excels, however, is in providing pre-configured modules to automate the targeting of specific services, from email providers such as ing Hotmail, Yahoo, AOL, GMX, and Web.de, to streaming services, VPNs, financial institutions, and even food delivery services. In fact, the report revealed the Atlantis AIO hacking machine can be aimed at more than 140 different platforms.
'By offering pre-configured modules for targeting a range of platforms and cloud-based services,' the threat intel report warned, 'it allows cybercriminals to launch credential stuffing attacks at scale with minimal effort.' The secret to the success of this automatic hacking machine is its modular approach. This can be demonstrated across three areas.
The use of a password manager to ensure unique and strong passwords for every account, along with two-factor authentication for all your accounts, can help mitigate this kind of attack. Don't share your passwords between accounts is the most pertinent advice, follow it.
Try Our AI Features
Explore what Daily8 AI can do for you:
Comments
No comments yet...
Related Articles
CNET
3 days ago
- CNET
Don't Trust That Link? Here's How to Make Sure You're Not Falling for a Scam
If you get a random text asking you to click a link, it's probably a scam. Getty/Karl Tapales Scam links are getting harder to spot, which is bad news for everyday people who mistakenly click on a malicious URL as part of a phishing attack. Many of them include standard "https" encryption and domains similar to legitimate websites. Phishing and spoofing scams led to more than $70 million in losses for victims in 2024, according to the FBI's Internet Crime Complaint Center. If you click on a scam link, you could suffer monetary losses. But arguably worse, you may give up very sensitive information like your name and credit card information to scammers or even risk malware being downloaded onto your device. How to identify scam links Scam links are often found in phishing emails, text messages or other communications sent by cybercriminals. They're designed to fool you into downloading malware or bringing you to a fake website to steal your personal identifying information. Some examples of popular phishing scams include unpaid toll, gold bar and employment scams. Criminals typically send these links out en masse -- often aided by artificial intelligence. Enough people fall victim to phishing scams every year that con artists find it worth their while to follow the same playbook. Here's how to avoid taking the bait. Check the URL "Smartphones do their best to block scam links, so attackers use tricks to make their links clickable," said Joshua McKenty, CEO of a cybersecurity company that helps businesses protect mobile phones and call centers from AI-driven phishing scams. For example, you'll want to watch for an "@" sign in the URL, or you might have two different URLs "glued together" by a question mark, he added. Especially if the first URL is a or an link. Dave Meister, a cybersecurity spokesman for global cybersecurity company Check Point, added that you may be able to hover over the URL to reveal the actual destination. People should also look out for "typo-squatting," when the URL looks authentic, but it has "PayPa1" instead of "PayPal." That should tip you off that it's a bad link. Remember the URLs you frequently visit It would behoove everyone to pay attention to the URLs they visit often. "Major brands, especially banks and retailers, don't often change up their domain names," McKenty said. "If the link says it's likely safe. If it says, stay away." Be suspicious of short links Short links are often in texts and on social media. "Sadly, there's no safe way to check a shortened URL," McKenty said. He recommended not clicking on them. " or "shorturl" links often have standard " encryption, which make them appear trustworthy. In these cases, it's best to read the message itself and pay attention to any threatening language or pressure to act immediately to identify the scam. How are scam links sent to victims? Text scams Ironically, these don't always rely on website links. In fact, phone numbers are a frequent vehicle used in scammers' phishing attempts, according to McKenty. "People get tricked into clicking a phone number that's not actually their bank or the IRS, and then surrendering identity information on the phone," he said. If you think you got a message from a scammer, as tempting as it is to mess with them, do your best to resist. If you interact with the scammer, they may want to circle back knowing that you're reachable. Email scams Emails can also have scam links. McKenty said that while clicking on phone numbers and links in texts is happening more frequently, "the biggest dollar losses are still the classic email scams." He suggests copying any link you see into a notes app so that you can properly inspect it before clicking. QR code scams Sometimes, scams can even be embedded into a QR code. "QR codes have become the new stealth weapon, used everywhere from restaurant menus to parking meters," said Meister. "Scammers are known to slap fake codes on top of real ones in public, or embed them in phishing emails, linking to cloned websites or malware downloads," he said. Before you scan, make sure the QR code makes sense. If it's on the side of a gas pump, on a random park bench or in an unrecognized email, it's better to avoid it. Social media direct messages Chances are, you've run into these scam links. Sometimes social media accounts get compromised by cybercriminals posing as people you know. If your "uncle" sends you a direct message while sounding like a pushy timeshare salesman, telling you to check out this investment opportunity by clicking on a link, call your uncle first. What if I already clicked a link? If you clicked on a scam link, a number of things could happen. If you have software protecting your device, the firewall probably blocked it. If you don't have software protecting you from computer viruses and malware, then you might have a problem. Try these tips if you think you might've clicked on a phishing link: Get anti-virus software. If you don't already have anti-virus software that can help rid your laptop or desktop of viruses, you should get one. There are plenty of free and paid options to choose from. If you don't already have anti-virus software that can help rid your laptop or desktop of viruses, you should get one. There are plenty of free and paid options to choose from. Be aware of malware. Your phone isn't immune to malware. Scam links are often designed to trick somebody into downloading malware, which can then give the scammer access to your phone. If your phone is infected with malware, do not access any financial apps. Instead, clear your browser cache, remove any apps you don't recognize, or try a factory reset. If you're really stuck, you could also call your phone's tech support. Your phone might be slow or unresponsive and you may see increased pop-up ads if it's infected. Your phone isn't immune to malware. Scam links are often designed to trick somebody into downloading malware, which can then give the scammer access to your phone. If your phone is infected with malware, do not access any financial apps. Instead, clear your browser cache, remove any apps you don't recognize, or try a factory reset. If you're really stuck, you could also call your phone's tech support. Your phone might be slow or unresponsive and you may see increased pop-up ads if it's infected. Contact your bank or credit card issuer. If you've been visiting your bank website or app on a compromised device, to be safe, let your financial institution know. If you've been visiting your bank website or app on a compromised device, to be safe, let your financial institution know. Contact the authorities. If you clicked on a spam link and were scammed out of money, report it to the Federal Trade Commission so they can spread the word about the scam. You'll also want to call your police department and anyone else you can think of. The more people are aware of a scam, the less likely they'll fall for it.
Black America Web
30-05-2025
- Black America Web
College Legacy Program For Black Women Halted After Losing Critical Grant
Source: Lacheev / Getty The University of Alabama's highly anticipated Legacy program—a year-long initiative focused on mentorship and tech training for Black girls—has been put on hold after losing a critical $3.5 million grant from the National Science Foundation in April, according to The Birmingham Times . Designed as a collaboration between seven predominantly white and historically Black colleges, the Legacy program aimed to support 600 students from Mississippi, Ohio, Michigan, and Alabama through 2028. Participants would have received mentorship from tech leaders at companies like Intel, along with hands-on instruction in coding and computing. Jeff Gray, the program's head leader and a computer science professor at the University of Alabama, told The Birmingham Times on Thursday that he had 'dorms reserved' and meal plans 'set up' for students who wanted to enroll in the program. 'We even were starting applications,' Gray revealed. 'Some of us have spent 300 or so hours on the project.' Legacy was an expansion of a successful Alabama pilot launched in 2019. Early results showed strong outcomes: 72% of the 71 Black girls who took part scored a 3 or higher on their AP exams, outperforming the national average across all demographics, including white and Asian males, said Mohammed Qazi, a Legacy faculty leader from Tuskegee University. The program was also seen as a critical step toward addressing the severe underrepresentation of Black women in tech. According to the United Negro College Fund, Black women make up just 3% of the U.S. tech workforce, and even fewer hold leadership roles in Silicon Valley. This isn't just an issue, particularly in the U.S. In the U.K., the British Computer Society reports Black women account for just 0.7% of IT roles—2.5 times below representation in other fields. 'That means for black women to be truly represented in IT there would need to be 20,000 more within the sector,' the Chartered Institute For IT notes. With the program now in limbo, its future remains uncertain, along with the opportunity it promised to hundreds of underrepresented students. Gray noted that the initiative was rooted in providing 'equity of opportunity,' supporting students who had the talent but lacked exposure to careers in computer science. He highlighted that the program aligned perfectly with Alabama Gov. Kay Ivey's push to expand computer science education across the state. As of fall 2024, UA reports 1,100 students enrolled in its computer science programs, placing Alabama among the top five states for computer science education. Despite the setback, Gray remains committed to increasing access to tech careers for underrepresented students. SEE ALSO: Fact Check: Are Black Women Still The 'Most Educated' Group In America? Beyond Betrayal: Black Women's Fight For Equity In The Time Of Trump SEE ALSO College Legacy Program For Black Women Halted After Losing Critical Grant was originally published on Black America Web Featured Video CLOSE
Yahoo
29-05-2025
- Yahoo
The simple security setting everyone should switch on to avoid being hacked
Online hacking, cyberattacks and fraud are booming, with research from Britain's National Cyber Security Centre (NCSC) suggesting that 80% of fraud is now 'cyber-enabled'. But what can you do yourself to protect your devices and accounts from attacks? The protections on online accounts such as email and social media are often the only thing standing between people and a dangerous cyber attack – and these are often too weak to be effective Analysis by the NCSC of passwords leaked in previous data breaches (when criminals leak data online) found that 232 million accounts had used the password '123456', while the password 'Chelsea' was used 216,677 times and 'Liverpool' 280,723 times. The National Fraud Intelligence Bureau (NFIB) said that there was a 46% increase in offences referred by Action Fraud for the year ending 2024, due to rises in social media and email hacking offences and virus and hacking offences. So how can you stay safe from hackers? Setting up two-factor authentication, or 2FA – also known as multi-factor authentication, or MFA – on your accounts is an important first step, explains Darren Guccione, CEO and co-founder at Keeper Security. The UK's NCSC advises all individuals to use 2FA, particularly on important accounts such as banking and email. Indeed, research by Microsoft suggests that using 2FA can block 99.9% of 'account compromise' attacks where criminals steal passwords. Two-factor authentication is where you secure your account with another layer, such as having to receive a code via text message. This is significantly more secure than relying on a password alone, as it means that (for example) if your password is leaked, or someone guesses it, they still can't access your account. "2FA works by providing a critical second layer of security before someone can access an account," says Guccione. "This can be done through an authenticator app, SMS message, hardware security key or biometric verification (using facial scans, eye scans or fingerprints). These factors are often time-sensitive, losing validity after a set amount of time to ensure that they cannot be reused. "By reducing reliance on passwords alone, 2FA helps protect against phishing and other common cyber threats, making it a simple yet powerful tool for enhancing online security." Platforms such as email and social media will always offer an option to set up 2FA on accounts – look for it under Settings, Security or Privacy, says Guccione. It can work via either email, SMS or a dedicated app, so pick an option that will be easily accessible when you need to log in. 'Users may register their phone number or email address, which will receive an 2FA code when login is attempted, or link their account to an authenticator app to generate a code," he says. This means that users will receive a text or email to check who they are, or alternatively an alert where they may have to enter a code. This locks out attackers who may have access to someone's email, and thus deters many automated or mass attacks. It is much harder for cybercriminals to get into accounts protected with 2FA, Guccione explains, but not all 2FA methods are 100% secure. Text message codes are weaker than other protection methods, as criminals can sometimes intercept codes or create a SIM card with the same number by fooling phone network employees. "While 2FA offers an important layer of protection against credential theft and breaches, not all 2FA methods are equally secure – SMS-based codes can be intercepted by bad actors, so authentication apps offer stronger protection," says Guccione. It's still worth ensuring that all passwords are strong, secure and unique – particularly for your email account, as criminals can use this to reset other passwords. Guccione advises using a password manager app to store passwords, which makes it easier to use unique passwords for each account. And even if you use 2FA, stay alert, Guccione advises. "2FA alerts on a smartphone can serve as a critical warning sign that your account's credentials have been compromised, providing an opportunity to update your password before the account is breached." While some organisations like Google are moving to make 2FA mandatory across all accounts for services such as Gmail, many lag behind. Just 40% of British businesses had applied mandatory two-factor authentication, according to the latest NCSC Cyber Breaches Survey, published April 2025.
