Russian hackers accused of targeting 85 top companies, Apple Pay included

A darknet researcher stumbled upon some configuration data, and one thing led to another.

A group of hackers speaking Russian and using Russian servers, are out hunting for American companies' user credentials, an exclusive story published on The Epoch Times claims. 

This group, allegedly not tied to any government and basically operating on its own, is targeting 'at least' 85 companies, including Amazon, American Airlines, AT&T, Best Buy, Wells Fargo, DropBox, Dunking Donuts, Ebay, GoDaddy, Uber,, McDonald’s, Office Depot, PayPal, Pizza Hut, Steam, and Apple Pay. 

Epoch Times broke the news after being approached by darknet investigator Ed Alexander, who apparently saw hackers "capturing card numbers and full identities,” including answers to personal questions usually used during password recovery. Apparently, the first thing he did was take his iPhones off Apple Pay. He found customised cyberattack files, designed to target specific companies, and had configuration files for Sentry MBA, a popular ‘credential stuffing’ tool.  

Here’s how credential stuffing works: People usually use the same password over multiple services, and when one gets breached, chances are the password on other services don’t get changed. So, hackers buy a cracked database on the dark web, feed it to Sentry MBA to see if any of the previous passwords still work. The Epoch Times claims the technique is ‘extremely effective’. 

"In the case of credential stuffing, the most commonly used standalone management tool we have observed enabling attacks is called Sentry MBA,” explain cybersecurity researchers at Shape Security.  

“A Sentry MBA config file contains, among other items, the URL for a website's login page, field markers to help navigate form elements, and rules for valid password constructions. A number of forums offer a wide variety of working configurations for various websites."    

Image Credit: Christiaan Colen / Flickr