Quote:Threat actors are compromising up to 100,000 inboxes daily in a campaign that targets gift card and customer-loyalty program data in hopes of reselling it or cashing in on freebies, a security researcher has found.
 
The actors behind the scam—outlined in a post by Brian Krebs on Krebs on Security—have been “mass-testing millions of usernames and passwords against the world’s major email providers each day” for the past three years, according to the post.
 
“Some of the most successful and lucrative online scams employ a ‘low-and-slow’ approach — avoiding detection or interference from researchers and law enforcement agencies by stealing small bits of cash from many people over an extended period,” Krebs noted in the post.
 
Citing an anonymous source Krebs calls “Bill,” the group tries to authenticate between five to 10 million email username/password combos daily, with only about a .1 percent strike rate—which still means the actor “comes away with anywhere from 50,000 to 100,000 of working inbox credentials,” he wrote.
 
While one might think that “whoever is behind such a sprawling crime machine would use their access to blast out spam, or conduct targeted phishing attacks against each victim’s contacts,” that’s not what’s happening, Krebs wrote.