Written by Mara Gibor
AIO is a simple and user-friendly tool. To launch, a user first loads a proxy for antidetection purposes, and one or more combolists containing email credentials (username and password pairs that have somehow been compromised). Additionally, the user specifies keyword strings, i.e., names or URLs of banks, e-commerce shops, cryptocurrency platforms, payment card type, etc. These keywords are the threat actor’s accounts of interest.
With all this information loaded, the user can now run AIO. AIO attempts to authenticate to the email accounts and confirm the existence of the desired online accounts (e.g.,banking, e-commerce) based on email communications. AIO then outputs the credentials matching the keyword strings along with the count of matches.
For example, a cybercriminal using AIO inputted a list of keyword strings for certain career sites (@monster.com, @ziprecruiter.com, @simplyhired.com, etc.). Each of the keyword strings in the list was searched within each email account and the results are shown in the screenshot below. Each row includes an email address and password (taken from the combolist), the match string, and the match count. For example, in the row highlighted in red box, the keyword @ziprecrutier matched 684 times in that email inbox.
So what does the cybercriminal or fraudster do with the AIO output? Well, now the threat actor has a list of valid accounts at an online platform or application. In our example above, the threat actor has a list of valid accounts for a career website. The actor visits the career website and requests a password reset for these accounts. The reset request usually triggers an email to the accountholder. Since the actor has access to the email inbox (using the combolist credentials), the threat actor intercepts the email with the password reset instructions and resets the password. Now the threat actor has complete control of the career website account.
Other threat actors leverage AIO to build databases of vulnerable accounts (i.e.,takeover targets) and then sell them to other cybercriminals, as seen in the screenshot below.
Download our full report to learn more about ‘AIO-style’ account takeover schemes, recent attacks, the underground trade in compromised accounts, and best practices for mitigating the risk.
Please submit your information below to request the full research report
About the AuthorMara Gibor is the Director of Threat Intelligence at Q6 Cyber. She leads analyst teams in the collection and analysis of E-Crime intelligence from numerous open and restricted sources.