Massive Brute-Force Attack on Alibaba


In February 20016, TaoBao, the retail e-commerce store wing of Alibaba, publicly reported to having been victims of a massive brute-force attack. TaoBao in the China equivalent of eBay.

In a span of one month, October to November 2015, TaoBao was systematically, and repeatedly attacked by public lists of leaked usernames and passwords.
These input values came from a humungous collection of 99 million credentials, pooled in from breaches of other websites.
The attackers used the values to brute-force enter into TaoBao cloud.U
sers who used the same passwords over multiple websites fell victim instantly and their TaoBao accounts were compromised. (“Massive Brute-Force Attack on Alibaba Affects Millions”)
Many other accounts that had weak, short, easy-to-guess passwords were broken into as well.

20.6 million accounts were reportedly compromised, which is roughly one-fifth of TaoBao’s user base. (“Alibaba security fail: Brute-force bonanza yields 21m logins”)

TaoBao, like eBay, is a reputation based seller-to-seller marketplace where reputation counts very highly, so boosting an accounts reputation via fake reviews can be a big bonus, and seems to be one of the incentives behind the attack.

TaoBao and Alibaba failed to notice the attack during the one month it was launched and security expert Paul Ducklin remarked that “One problem, in this case, is that with nearly 100 million account names to work with, the crooks didn’t need to try thousands of passwords per account to get a good hit rate, so Taobao may not have seen evidence of massive password guessing.” He further adds that “Taobao is one of the busiest websites in the world, so processing hundreds of millions of logins, even if they come from the same internet region – Alibaba’s cloud network – is all in a day’s work.” (“Alibaba hit by massive brute-force password hack.”)

What is curious in this case, however, is that the attackers used servers rented from Alibaba themselves to conduct the attacks.

Dave Martin, another security expert, draws attention to this fact and further says,  “While these [type of] attacks are usually detected by examining authentication logs, network-based security applied in the egress or outbound direction from the cloud computing servers could also have prevented or identified this fraudulent activity much sooner.” (“Massive Brute-Force Attack on Alibaba Affects Millions”)

References

Seals, T. (2016, February 08). Massive Brute-Force Attack on Alibaba Affects Millions. Retrieved from https://www.infosecurity-magazine.com/news/massive-bruteforce-attack-on/

Pauli, D. (2016, February 8). Alibaba security fail: Brute-force bonanza yields 21m logins. Retrieved from https://www.theregister.co.uk/2016/02/08/alibaba_taobao_security_process_failure/

Gilchrist, A. (2016, February 08). Alibaba hit by massive brute-force password hack. Retrieved from http://www.itproportal.com/2016/02/08/alibaba-hit-massive-brute-force-password-hack/