I'm sure fraud IS fun
Until you get caught! Or if you're worried about getting caught. Or worried about getting killed if you defraud the wrong party.
An 18-year-old Wisconsin man has been charged with allegedly playing a central role in the theft of $600,000 from DraftKings customer accounts. Joseph Garrison – who potentially faces years in the clink if convicted and apparently bragged to his co-conspirators that "fraud is fun" – surrendered to the cops Thursday morning in …
Nonono... more than x failed connection attempts, using different passwords, in y minutes from the same IP, and you deny the *login* for 24h, not the connection. But tarpit by 4s. Don't deny the *connection* - then they won't realise they've been blacklisted, and will continue to waste more time in the tarpit, and will think everything in their database is a bad password.
Meanwhile, I have a script which just feeds phishing emails with a shit tonne of bogus credentials.
It did occur to me that the most effective way to implement this would be to spread it like a bot so it can run from loads of different IP addresses. Which given how scammers work would be ironic.
It then occurred to me that this is probably already happening.
I would include login attempts using different usernames from the same IP and /24 address block.
One of the bands of my life is how getting hold of this information can be practically impossible. Also “y”, it seems this is probably well known and not admin configurable; encountered this when being attacked from 6~8 IPs from the same /24 which belonged to some Russian ISP. They probed to find out the value of y and then simply set their retry timer to y + 10 seconds. It was nearly 2 months before the logs no longer showed connection attempts from this ISP.
Depends how much you like using your resources to slow people down. Me, I blacklist (with DROP) the IP address on one failed login to my mail server, for 24 hours. I typically have 8k banned addresses at any one time; that's quite a lot of log-in attempts being blocked (and not filling up my log file). And with a bit of luck, they spend some time trying to establish a connection before giving up.
If you're pulling in hundreds of thousands of dollars, and you already bought a bunch of credentials on the dark web, then you have the resources and ability to find the people selling access to a botnet to run your scripts on. You only need each bot for about two minutes before it does something worth blocking. Buy a few thousand of those for a few minutes and spam some out. Wait a day and buy some more, either the same ones again or try a different product. That gives you tens of thousands of login attempts per day. Sure, trying your entire dataset in one day would be faster, but that decrease in speed is probably not extreme enough to cause problems for the criminal.
USA + 5-eyes vassals are in a room in Lisbon discussing how to stop their open-secret microchip AI involuntary intelligence/slavery program, plus names of FBI/CIA officials and collaborators, to spread to China/Russia/Iran.
USA + vassals won't succeed.
""DraftKings provided notice to customers in relevant jurisdictions..."
What does "relevant jurisdictions" mean in this context? It seems redundant, unless they really mean to say that those customers not living in jurisdictions where notification of a data breach is required were NOT told about it. In which case "The safety and security of our customers' personal and payment information is of paramount importance to DraftKings," is a lie.
I don't think it's good advice and neither is changing your passwords every so often. My l/p here at El Reg is used elsewhere, but other than somebody impersonating me and causing a bit of grief, I'm not going to be all that affected if this or where the same L/P is used is hacked. When it comes to anything that has to do with money, yes, every one of those sites has a different L/P that aren't shared anywhere else. What I'm trying to do is limit the credentials I have to try and remember to mainly the most important things. Being forced to change a login can inadvertently take you from a fairly secure L/P to one that isn't. About the only place where this is useful is if somebody is brute forcing an account and you get lucky that what you change your L/P to has already been tried and discarded. You have to hope that whoever is operating that site is actively looking out to prevent brute force attacks in the first place. If they've left that wide open, chances are they have other holes in their security as well.
I think it's more important to avoid using anything in credentials that's easily found personal information such as a child's name or the name of a pet. I don't comment on what sorts of things I use for credentials but they aren't really things even a comprehensive biography would have. I wonder if anybody has attempted a hack based on things a person strongly dislikes or the name of the bully that tortured one at school decades ago. I get odd thoughts like that. I'm still waiting for the post office to issue "hate mail" stamps to put on mail going to pay bills and taxes.
THIS. KeePass, which stores things locally, was recently found to have a security hole in which local memory dumps might contain most of the password. But that would require access to the computer on about the same level as needed for a keylogger, so not exactly that severe a vulnerability...