Individuals who reuse login credentials across multiple sites are more susceptible to account checking attacks, which occur when threat actors use credentials stolen from past database breaches or compromises to gain unauthorized access to other accounts belonging to the same victims. However, the process of mining compromised data for correct username and password combinations requires significant computer processing power and proxy pool lists to be successful — a capability that is now exhibited by the Trickbot gang.
Considered to be the successor of the formidable Dyre banking Trojan gang, the Trickbot banking Trojan gang continues to evolve by adopting new attack methods and targeting various industries. While Trickbot predominantly targeted the financial industry, it has now expanded its targeting of other industries via its account checking activities; these are perpetrated through the backconnect SOCKS5 module enlisting victims as proxies. Enlisting victims as its proxies allows the gang to perform account checking activity with the same IP as its victims. The gang account checking operation requires a steady stream of new and “clean” proxies to make sure their activities wouldn’t get automatically blocked by companies’ automatic IP origin anti-fraud systems. Therefore, their existing infections are turned into account checking proxies.
To read the original article: