A new cybercrime platform called ‘Atlantis AIO’ has emerged providing cybercriminals with an automated service to carry out large-scale credential stuffing attacks. The service, which targets over 140 online platforms, including email services, e-commerce sites, banks, and VPN providers, is designed to streamline the process of hijacking accounts using stolen credentials.
Credential stuffing is a form of cyberattack where threat actors use lists of stolen usernames and passwords from data breaches to attempt unauthorized access to online accounts. If the credentials match and multi-factor authentication (MFA) is not enabled, attackers can gain access, lock out the legitimate users, and use or resell the compromised accounts for profit.
Atlantis AIO has been described as a Credential Stuffing as a Service (CSaaS) platform that offers an automated, user-friendly interface for executing these attacks. The service offers pre-configured modules that specifically target major online platforms, including well-known services like Hotmail, AOL, Mail.ru, Mail.com, Gmx, as well as popular retailers and businesses such as Wingstop, Buffalo Wild Wings, and Safeway.
According to Abnormal Security, the service operates through three primary modules:
-
Email Account Testing: The module automates brute-force login attempts and takeover attacks on email platforms like Hotmail, Yahoo, and Mail.com. Once attackers gain control of an email account, they can use it for phishing attacks or data theft, exploiting the inboxes of the account holders.
-
Brute Force Attacks: The module allows cybercriminals to rapidly cycle through common or weak passwords in an attempt to crack accounts with poor password hygiene. It targets a wide array of platforms, enabling rapid, automated attacks that can affect countless users.
-
Account Recovery: The module exploits account recovery processes, such as those found on eBay or Yahoo. It bypasses CAPTCHA systems and automates takeovers using tools like “Auto-Doxer Recovery,” enabling cybercriminals to quickly exploit vulnerable accounts.
Once successful, attackers typically sell the compromised accounts on underground cybercrime forums. Some threat actors have been known to create shops where stolen accounts are sold for as little as $0.50 each.
