Our 24x7 comprehensive monitoring of the Digital Underground can help you transform your information security and anti-fraud operations from reactive to proactive.

orange arrow

AIO: A Popular ATO Tool

intro image

Written by Mara Gibor

Overview

  • Account takeover (ATO) scams have been growing quickly since early 2020, with estimates ranging from 2x – 6x vs. prior year.
  • “All-In-One Checker” (“AIO”) is a popular account takeover tool of choice for cybercriminals and fraudsters around the world.
  • AIO has also become popular with underground vendors of compromised account credentials, who leverage the tool to build databases of ATO targets and sell these targets to other cybercriminals and fraudsters on various underground marketplaces.
  • Slilpp is one such popular underground marketplace. In total, as of April 2021, Slilpp features approximately 50 million account credentials for sale at the low cost of $2 and $9 per account.
  • The popularity of AIO and available inventory on markets such as Slilpp suggest that threat actors are pursuing a wide range of fraud and cybercrime ATO-related schemes targeting different industries.

AIO At-a-Glance

AIO is a simple and user-friendly tool. To launch, a user first loads a proxy for antidetection purposes, and one or more combolists containing email credentials (username and password pairs that have somehow been compromised). Additionally, the user specifies keyword strings, i.e., names or URLs of banks, e-commerce shops, cryptocurrency platforms, payment card type, etc. These keywords are the threat actor’s accounts of interest.

With all this information loaded, the user can now run AIO. AIO attempts to authenticate to the email accounts and confirm the existence of the desired online accounts (e.g.,banking, e-commerce) based on email communications. AIO then outputs the credentials matching the keyword strings along with the count of matches.

For example, a cybercriminal using AIO inputted a list of keyword strings for certain career sites (@monster.com, @ziprecruiter.com, @simplyhired.com, etc.). Each of the keyword strings in the list was searched within each email account and the results are shown in the screenshot below. Each row includes an email address and password (taken from the combolist), the match string, and the match count. For example, in the row highlighted in red box, the keyword @ziprecrutier matched 684 times in that email inbox.

All-In-One Checker producing results for a search against popular career websites
All-In-One Checker producing results for a search against popular career websites

So what does the cybercriminal or fraudster do with the AIO output? Well, now the threat actor has a list of valid accounts at an online platform or application. In our example above, the threat actor has a list of valid accounts for a career website. The actor visits the career website and requests a password reset for these accounts. The reset request usually triggers an email to the accountholder. Since the actor has access to the email inbox (using the combolist credentials), the threat actor intercepts the email with the password reset instructions and resets the password. Now the threat actor has complete control of the career website account.

Step-by-step process for utilizing AIO to execute account takeovers
Step-by-step process for utilizing AIO to execute account takeovers

Other threat actors leverage AIO to build databases of vulnerable accounts (i.e.,takeover targets) and then sell them to other cybercriminals, as seen in the screenshot below.

Thousands of email credentials advertised for sale on a popular account market
Thousands of email credentials advertised for sale on a popular account market

Download our full report to learn more about ‘AIO-style’ account takeover schemes, recent attacks, the underground trade in compromised accounts, and best practices for mitigating the risk.


Please submit your information below to request the full research report

Don't forget

to Visit

Our Solutions


About the Author

Mara Gibor is the Director of Threat Intelligence at Q6 Cyber. She leads analyst teams in the collection and analysis of E-Crime intelligence from numerous open and restricted sources.