Namecheap accounts brute-forced by CyberVor gang?
California-based domain registrar and web hosting firm Namecheap has been targeted by hackers, the company’s VP of hosting Matt Russell warned on Monday, and said that the attackers are using username and password data gathered from third party sites to brute-force their way into their customers’ accounts.
Russell said that the compromised login credentials that have been used to probe the accounts are likely those collected by the Russia-based CyberVor gang, which have reportedly in their hands as many as 1.2 billion unique online login credentials.
It is still unclear why they believe the CyberVor gang – or another gang using that stash of login credentials – is involved.
“The group behind this is using the stored usernames and passwords to simulate a web browser login through fake browser software. This software simulates the actual login process a user would use if they are using Firefox/Safari/Chrome to access their Namecheap account. The hackers are going through their username/password list and trying each and every one to try and get into Namecheap user accounts,” Russel shared.
“The vast majority of these login attempts have been unsuccessful as the data is incorrect or old and passwords have been changed. As a precaution, we are aggressively blocking the IP addresses that appear to be logging in with the stolen password data. We are also logging these IP addresses and will be exporting blocking rules across our network to completely eliminate access to any Namecheap system or service, as well as making this data available to law enforcement.”
Some of the attempts have been successful, and the company has temporarily suspended those accounts and is notifying the rightful owners.
“Our early investigation shows that those users who use the same password for their Namecheap account that are used on other websites are the ones who are vulnerable,” he added. “This attack serves as a timely reminder that as netizens, we constantly face new and evolving security threats.”
Russell advised all users to consider enabling 2-factor authentication for their online accounts wherever possible to prevent this type of attack in the future.
He also advised using strong passwords, not using the same username/password combination for multiple websites, regularly scanning systems for malware, using SSL connection for all websites, and using secured connections and a VPN when browsing the internet on an open wi-fi hotspot.
“We’ve chosen to go public with today’s incident to try and generate greater public awareness of the security issues that stem from areas outside of our control. Good security is a joint effort between service provider (us) and customer (you),” he wrote, and added that they are doing what needs to be done to keep their customers secure.