A new botnet has been discovered that takes login credentials from a less-secure site and tests them on banking and financial transactions sites, leaving users who reuse the same password across sites vulnerable to attack.

Internet security firm ThreatMetrix described the botnet in its Cybercrime Report covering the first quarter of 2016. In it, its said that botnet attacks have evolved from large-scale distributed denial of service (DDoS) attacks to low-and-slow attacks which are more difficult to detect. Rather than taking down a site or server, the new botnets mimic trusted customer behavior and logins to access accounts.

The new bots get customer login information from a lower-security site: one with ‘modest sign-up requirements’ for the creation of username/password combinations. The botnets take a list of user credentials from the dark web and run ‘massive credentialing sessions’ on lower-security sites. Often sites that provide content, like Netflix or Spotify, will be targeted for the first phase of attack as they have millions of customers and lower security requirements than most financial institutions and e-commerce sites. “These attacks result in huge spikes over a couple of days with sustained transaction levels of over 200 transactions / second as they slice down the list.” Every time they get a hit with a username/password combination it goes on a list, which is then used to launch a low-and-slow attack on financial and e-commerce institutions. These attacks are difficult to detect and comprised 264 million attacks on e-commerce websites in the first quarter of 2016 alone. They noted an overall 35% growth in bot attacks from the last quarter of 2015 to the first of 2016, a number which is expected to continue to grow.

“With recent data breaches, and the tendency for users to share passwords across websites, cybercriminals find it more lucrative to use a trusted credit card from a valid customer account than it is to attempt to re-use a stolen card that has a limited shelf life. This quarter saw the highest level of attacks on e-commerce with more than 60 million rejected transactions, representing a 90% increase over the previous year.”

Using known combinations targets those who reuse passwords on low and high security websites. While users have been warned against this practice for years, some reports still show that it is common practice. A 2013 report by UK communications watchdog OfCom showed that 55% of adults reuse the same passwords across sites. A similar 2015 study by TeleSign showed 73% of web accounts were protected by duplicated passwords.