There’s a new tool floating around the dark web that is scary good at breaking into online accounts. It’s incredibly powerful because it allows cybercriminals to get in using advanced methods that previously required coding ability and manual work. With specialized modules for figuring out passwords, accounts can now be accessed quickly with no technical skills.
In particular, the tool – known as Atlantis AIO – takes advantage of insecure password behaviors, such as reusing the same password across multiple accounts or over time, using weak passwords that are easy to guess, and lack of multifactor authentication.
How it works
An attacker buys a list of stolen/leaked username and password pairs from other criminals and loads it into the tool. Some lists contain millions of credentials! The attacker can then choose from over 140 specific targets including email providers, banks, streaming services, VPNs, and e-commerce sites.
Three main attack options can be run simultaneously:
- Credential Stuffing: Systematically testing to see if any of the leaked username and password pairs work. This attack is most likely to work if the owner of the account reuses passwords.
- Brute Force: Rapid-fire testing of thousands or millions of common word combinations to try to guess the password. This attack may be successful if the account owner uses weak passwords containing words that are often used together, such as song lyrics or other well-known phrases.
- Account Recovery: Triggering a password reset on an account and successfully responding to CAPTCHA (i.e., “I’m not a robot”) challenges. The use of AI (Artificial Intelligence) allows the tool to automate the process. Enabling multifactor authentication can reduce the risk of this type of attack.
How it can impact you
Once a cybercriminal manages to break in, they can do all kinds of bad things using your accounts.
For example, they could reset your password for your email account (which they can then use to reset other website passwords they haven’t been able to crack), steal sensitive information contained in your messages, and use your email to send phishing emails to your contacts. They could make purchases using your payment information and change the mailing address to intercept your packages. They could even post your personal information on social media or impersonate you and make comments that cause friction with other people.
So what can you do to keep from becoming a victim? Here are some tips:
- Make your passwords at least 16 characters long and unguessable. Passphrases using random words and numbers work well. Using a password manager to create and store passwords makes this much easier!
- Never reuse a password across multiple systems or accounts – this also means you should never use the same password for personal and work accounts.
- Use multifactor authentication (MFA) where available but try to avoid SMS-based options because attackers can sometimes intercept text messages. The 2FA Directory has information on websites and services that offer MFA and how to find the settings.
- Use passkeys instead of passwords, if possible. A passkey is a combination of a digital key stored on your device and another authentication method, which could be biometric (e.g., fingerprint) or hardware-based (e.g., USB device).
An additional note: Any time you hear about a data breach that exposes credentials, it’s safe to assume they will be available for sale on the Dark Web. Over 85 million passwords that were recently stolen are being used in active attacks. If you are affected by a breach, change your password immediately!
And remember, the TDS Internet Security Suite helps protect you and your family from cyberthreats, with features including a password vault, privacy VPN, ID monitoring, and more. Visit our website for more details.
