WEBINAR | A Deep-Dive into 2023 Cyber Threats
Reduce Alert Noise and False Positives
Boost your team's productivity by cutting down alert noise and false positives.
Automate Security Operations
Boost efficiency, reduce burnout, and better manage risk through automation.
Dark Web Monitoring
Online protection tuned to the need of your business.
Maximize Existing Security Investments
Improve efficiencies from existing investments in security tools.
Beyond MDR
Move your security operations beyond the limitations of MDR.
Secure with Microsoft 365 E5
Boost the power of Microsoft 365 E5 security.
Secure Multi-Cloud Environments
Improve cloud security and overcome complexity across multi-cloud environments.
Secure Mergers and Acquisitions
Control cyber risk for business acquisitions and dispersed business units.
Operational Technology
Solve security operations challenges affecting critical operational technology (OT) infrastructure.
Force-Multiply Your Security Operations
Whether you’re just starting your security journey, need to up your game, or you’re not happy with an existing service, we can help you to achieve your security goals.
Detection Investigation Response
Modernize Detection, Investigation, Response with a Security Operations Platform.
Threat Hunting
Locate and eliminate lurking threats with ReliaQuest GreyMatter
Threat Intelligence
Find cyber threats that have evaded your defenses.
Model Index
Security metrics to manage and improve security operations.
Breach and Attack Simulation
GreyMatter Verify is ReliaQuest’s automated breach and attack simulation capability.
Digital Risk Protection
Continuous monitoring of open, deep, and dark web sources to identify threats.
Phishing Analyzer
GreyMatter Phishing Analyzer removes the abuse mailbox management by automating the DIR process for you.
Integration Partners
The GreyMatter cloud-native Open XDR platform integrates with a fast-growing number of market-leading technologies.
Unify and Optimize Your Security Operations
ReliaQuest GreyMatter is a security operations platform built on an open XDR architecture and designed to help security teams increase visibility, reduce complexity, and manage risk across their security tools, including on-premises, clouds, networks, and endpoints.
Blog
Company Blog
Case Studies
Brands of the world trust ReliaQuest to achieve their security goals.
Data Sheets
Learn how to achieve your security outcomes faster with ReliaQuest GreyMatter.
eBooks
The latest security trends and perspectives to help inform your security operations.
Industry Guides and Reports
The latest security research and industry reports.
Podcasts
Catch up on the latest cybersecurity podcasts, and mindset moments from our very own mental performance coaches.
Solution Briefs
A deep dive on how ReliaQuest GreyMatter addresses security challenges.
White Papers
The latest white papers focused on security operations strategy, technology & insight.
Videos
Current and future SOC trends presented by our security experts.
Events & Webinars
Explore all upcoming company events, in-person and on-demand webinars
ReliaQuest ResourceCenter
From prevention techniques to emerging security trends, our comprehensive library can arm you with the tools you need to improve your security posture.
Threat Research
Get the latest threat analysis from the ReliaQuest Threat Research Team. ReliaQuest ShadowTalk Weekly podcast featuring discussions on the latest cybersecurity news and threat research.
Shadow Talk
ReliaQuest's ShadowTalk is a weekly podcast featuring discussions on the latest cybersecurity news and threat research. ShadowTalk's hosts come from threat intelligence, threat hunting, security research, and leadership backgrounds providing practical perspectives on the week's top cybersecurity stories.
April 18, 2024
About ReliaQuest
We bring our best attitude, energy and effort to everything we do, every day, to make security possible.
Leadership
Security is a team sport.
No Show Dogs Podcast
Mental Performance Coaches Derin McMains and Dr. Nicole Detling interview world-class performers across multiple industries.
Make It Possible
Make It Possible reflects our focus on bringing cybersecurity awareness to our communities and enabling the next generation of cybersecurity professionals.
Careers
Join our world-class team.
Press and Media Coverage
ReliaQuest newsroom covering the latest press release and media coverage.
Become a Channel Partner
When you partner with ReliaQuest, you help deliver world-class cybersecurity solutions.
Contact Us
How can we help you?
A Mindset Like No Other in the Industry
Many companies tout their cultures; at ReliaQuest, we share a mindset. We focus on four values every day to make security possible: being accountable, helpful, adaptable, and focused. These values drive development of our platform, relationships with our customers and partners, and further the ReliaQuest promise of security confidence across our customers and our own teams.
More results...
It’s no secret that credential exposure is a growing problem. Take a look at Troy Hunt’s https://www.haveibeenpwned.com – a tool that allows users to search whether accounts have been exposed in a data breach – and it’s hard not to ignore the fact that the database includes over 8 billion records. Digital Shadows’ breach repository alone has up to 16 billion credentials – and there’s no reason to expect these numbers to start shrinking any time soon.
While Troy’s site doesn’t provide any passwords, the reality is that most of these sit somewhere online – on the open, deep or dark web. Credentials like these often experience a full lifecycle, starting with the initial gathering phase, and only becoming public knowledge towards the tail-end of their usefulness; a fact we described in our webinar Harnessing Exposed Data to Enhance Cyber Intelligence. Left in the wrong hands, *cough* cybercriminal *cough*, this exposed data can lead to the wrong kind of activity: malicious account takeover (ATO).
In our Photon Research Team’s recently published report Two-Factor in Review, we coined account takeover as “the process of gaining access to a victim account, often by compromise or credential re-use”. ATO can affect both individuals and organizations: For individuals, when a cybercriminal successfully performs account takeover, this could result in identity theft or financial fraud; For organizations, data breaches, system compromises, as well as financial losses and reputational damage are all possible outcomes. Regardless of who’s being targeted, account takeover fraud is costly, with losses in the US mounting to $5.1 billion dollars in 2017 alone.
As it states on the tin, Photon’s recent assessment explores the most popular mitigation tool to prevent account takeover: two-factor authentication (2FA). Here, we review account takeover from the perspective of the cybercriminal: why and how do cybercriminals perform ATO? While 2FA has proven itself to be an effective mitigation tool in preventing account takeover, this mitigation tool should be adopted alongside other best practices and security measures, which we provide at the end of the blog.
Taking over an account is like breaking into a house; criminals typically have a good idea about what they’re trying to steal ahead of time by casing a target, doing some reconnaissance, but they have to get inside first. We identify how cybercriminals launch this kind of digital B&E (“breaking and entering” for all you non-criminals out there) codifying this into five distinct steps: reconnaissance, acquisition, username enumeration, verification and authorization, and exfiltration.
Figure 1: The 5 steps of the Account Takeover Kill Chain
The first step in an attack typically involves a stage of reconnaissance, and for ATO attacks, threat actors will be scoping out where they will actually be using the accounts they plan on stealing. Attackers will determine a target site, or multiple sites, and begin mapping out login portals that require usernames and passwords, and other pages on domains that requires valid credentials to access. For example, a social media site or an online banking portal; at this stage an attacker may enumerate the subdomains of a domain to find login pages, or take note of the types of technologies running on the website that could be vulnerable to certain exploits or credential attacks. Using a tool like Sublist3r can quickly and easily provide the user with subdomains that could be used to log in to services or websites.
Figure 2: Screenshot of a Sublist3r query (source: github.com/aboul3la/Sublist3r)
A cybercriminal may rely on a number of methods to access an account, which range from the use of phishing, malware, breached credentials databases, to the sale of private or bulk credentials (usually found on criminal sites). The method employed may, to some extent, vary by the attacker’s preference – but some resources make account acquisition much easier. One option – as the Photon research team recently identified in our Too Much Information: The Sequel research – is using the proliferation of exposed files on misconfigured devices to an attacker’s advantage. The report found a total of 2.3 billion files including sensitive information like password lists to be easily accessible via various online file stores. Other factors driving account acquisition include: password reuse, targeted phishing, sale of credentials on criminal forums and the use of credential harvesting bots.
Account takeover can also result from spear phishing campaigns – a form of phishing that targets a specific individual or organization. Depending on the execution, a spear phishing campaign can lure individuals into a false sense of security, posing as a trusted source. The success of the campaign depends on whether the targeted employee clicks on a link and attempts to sign into the spoofed service, which results in the inadvertent exchange of account information.
Credential stealing malware is also a common tool used by criminals to gather credentials from systems which have been infected. Variants like Pony or TrickBot are more of the well-known variants, though the technique can be seen in dozens of variants within the threat landscape. Attackers need not develop their own either; access to certain variants can be purchased online, some even operating as a Malware-as-a-Service. Others can be found on criminal marketplaces like the Goznym banking trojan, which has the ability to harvest credentials and collect payment information from point of sale systems.
Figure 3: Goznym banking trojan for sale
For the less technical threat actor who may not know how to put together a phishing campaign or use malware effectively, there’s a pay-to-win option. Criminal forums like CrackedTO, Nulled, and RaidForums and Automated Vending Carts like Joker’s Stash and Empire Market have dedicated spaces that sell personal data, be it compromised accounts, payment card details, or other personally identifiable information.
Figure 4: Front page listings on Raidforums
It’s not only credentials that enable account takeovers; the Genesis Marketplace sells system fingerprints which essential act as a technical “mask”, impersonating a specific account’s technical indicators. Genesis market differs from other services typically offered criminal forums in that it provides specialized goods: bots that claim to bypass fingerprinting controls. Sold for as little as 50 cents, it’s bot technology provides customers with a wide range of information such as fingerprints, cookies, logs, saved passwords, and personal information. Essentially, if a cybercriminal purchases one of these bots, they could acquire an individuals account information simply by impersonating a victim’s browser activity.
While criminal underground sites are rife with combolists for sale, the Photon team identified a new approach to the sale of combolists: combolists-as-a-service.
Scanning chatter on underground cracking sites, we identified threat actors on the cracking forum CrackedTO actively branding and marketing combo-lists, as if they are tradable commodities. For instance, we identified one user on the cracking forum cracked.to, promoting their service datasense – a “cloud based combolist and database provider”.
According to the post, DataSense provides users with up-to-date combolists and a self-proclaimed “quality product”. Like most marketing narratives, the advertisement goes on to list why users should choose this service, highlighting that the team is made up of “experienced crackers..who use years of dorks and cracking experience”. Such experience, allegedly, delivers the “best databases”.
Figure 5: DataSense advertisement on cracking forum
In addition to the benefits, the ad also offers a subscription package, in which users can pay $50 (using Paypal, bitcoin or other cryptocurrencies) which entitles the users to 30 days access to the product. It’s unconfirmed which combolists are available via the advertised service, as you need to pay and register via the website datasense[.]pw, but the post implies it offers Amazon, Electronic Arts’ Origin, Ubisoft’s uPlay, Netflix and Steam accounts.
DataSense is not alone in this combolist market though, with other players jumping on the bandwagon, too. Take for example the site databasehub[.]co – a site which describes itself as the ‘next generation combolist provider’. DatabaseHUB uploads combolists everyday to its site, which cover categories such as gaming and cryptocurrency, details of which were pulled from it’s Shoppy page.
Figure 6: A screenshot of DatabaseHub
After registering for an account, combolists are displayed – but in order to receive the data users are drawn to purchase a token (valued at $10.99 via Shoppy). By purchasing the token, as DatabaseHUB’s Shoppy page highlights, you’ll be able to generate up to 5 combo lists per day during the 30 days.
Figure 7: DatabaseHUB advertisement on Shoppy
For cybercriminals, the dedicated subscription-style combolist services offer a one-stop shop for combolists. This type of one-stop combolist shop attempts to streamline how cybercriminals obtain combolists. Rather than purchasing combolists individually, dedicated services automate the process.
What’s more, these CaaS’s even mark a shift in cybercriminals’ distribution tactics. Traditionally, cracking forums have been used to advertise the sale of combolists and then used to distribute the goods. However, the above examples suggest that cybercriminals are leveraging multiple services, such as Shoppy and personalised web pages, alongside the underground forums to promote their services. It remains to be seen whether this kind of service will take off among the community, but Photon will be sure to stay apprised of the updates.
Been in a position where you’ve forgotten login details? It’s likely that the site has informed you that one element of the login is correct, and the other is incorrect. This might spur you to take a second guess: “Oh, I know! It’s not that username! I’ll try another.” To you, this process is wholly innocent, the login is like a school test – it’s testing your memory. While innocent for the account holder, attackers can exploit this indicator, probing the site in order to determine the formats or to check for the existence of certain usernames themselves. Misconfigured settings for a login portal may expose certain verification details, providing contextual clues about whether a username exists within the targeted system. Testing the login service or site ahead of time can provide valuable details to an attacker who can then tweak the settings within their tools, or edit certain formats of the usernames being tested.
Figure 8: Example of improper credential validation messages Source: https://www.baeldung.com/spring-security-enumeration-attacks
Now that the attacker has access to the credentials, whether that’s through a service like DataSense or other means of acquiring the data, one of the most common ways attackers can conduct their account takeovers at scale is with the help of credential stuffing tools. Though there are several tools available, we’ll highlight some of the main ones below.
This process typically relies on people reusing their passwords across multiple services. In February 2019, a joint survey conducted by Google and Harris Poll found that almost two in three people recycle the same password across multiple accounts. Why? Well, the average business user has 191 passwords, so keeping mental notes of these password may feel like playing a brain game and as a potential shortcut, employees may use re-use logins. For an organization, this malpractice causes significant security issues for organizations, as criminals may identify instances of password reuse in order compromise further accounts. Cumbersome as passwords may be, using unique passwords for all accounts is something we emphasis enforcing – and we’ll build on these mitigation later.
SentryMBA is a free and publicly available credential stuffing tool, typically used by threat actors to automate the account takeover process by trying numerous credential combinations against online login portals. It’s most often used at the verification stage of the kill chain we outlined earlier. The tool has functions to mitigate traditional online login-form security controls, such as IP address rate limits and blacklists, and can bypass CAPTCHA controls to impede automated interaction. It attempts to bypass these controls by using Optical Character Recognition (OCR) software and other mechanisms to read and solve CAPTCHA challenges.
SentryMBA is loaded with configuration files that are used to direct the tool and dictate what credential combinations are to be used. The configuration files include a credential combination list (which can be purchased from criminal forums or gathered by credential stealing malware), a proxy list (encompassing compromised hosts or botnets) to bypass some security controls, and a configuration file of HTML elements that help SentryMBA navigate the unique characteristics of the site being targeted (including the URL of the login page). The tool exploits the use of weak password practices, as it uses previously leaked credential combinations as part of its attack strategy.
Figure 9: SentryMBA in action (source: F5 Networks)
SNIPR is a tool that automates credential stuffing processes. It was created by the online alias PRAGMA, functions very similarly to SentryMBA, and has existed since April 2017. Although SentryMBA is deemed the “gold standard” of credential stuffing tools, SNIPR brings its own unique benefits and is advertised across several criminal and cracking based forums, coming pre-installed with a variety of pre-built configurations for popular sites, including requested URLs, user agent strings, data capturing from requests and the correct order of authentication. Added to this is an in-built mechanism for public proxy scraping or the ability to import specified lists. These characteristics indicate this tool is aimed at all skill levels, therefore enabling users with little to no historical credential stuffing experience simply being able to activate and execute the tool if so desired, whereas, it also allows for greater customization and configuration for those with advanced experience.
Figure 10: Advertisement for SNIPR posted on criminal forum (Source: Raidforums)
Another tool that could be incorporated into a credential stuffing attack is a Python script called Cr3dov3r, which is used to help credential reuse attacks and to find passwords from security breaches. The tool generates “true results”, which means any email address entered in the tool is searched across genuine online resources, such as HaveIBeenPwned.com, and then if your address has been included in a breach, the tool attempts to ascertain associated plaintext passwords. Subsequently, the tool checks seven popular websites (e.g. Facebook, Twitter, Google) to determine whether the login is still valid and working or whether CAPTCHA is blocking the way.
Figure 11: Example of Cr3d0v3r in action
At this point the damage has been done, the account has been compromised and the attacker will look to extract information or even move funds. This is another important step within the ATO kill chain as the attacker’s true motivation will reveal itself. Whatever that attacker does while in control of that account is valuable knowledge for incident responders or threat hunters who will try to put new defenses in place to prevent this kind of attack from taking place in the future. In the present though, attackers have been observed stealing intellectual property, financial records and information, or other sensitive company documents.
ATO can also enable further types of attacks to take place; one main example is business email compromise (BEC). If the account for a high-level executive is compromised, a common technique criminals will carry out involves emailing certain people within the organization, typically within the finance areas of the company, with a time-sensitive requirement urging them to do something quickly. As humans, we’re generally helpful by nature (especially when it comes to our bosses or our bosses’ bosses); a fact which threat actors are more than willing to exploit.
While the kill chain can visualize how cybercriminals takeover accounts at a granular level, it fails to address the business impacts of this life cycle. In particular, who is affected and how much damage has been made. For businesses, as we echoed earlier, account takeover is financially costly. This point is more poignant in a world of GPDR, with organizations facing unprecedented monetary fines under the data protection act. While monetary penalties are the more obvious cost to an organization, there are several other less tangible – though equally detrimental – impacts.
When it comes to account takeover, who should be held accountable for the unauthorized access to the victims’ accounts? Is it the criminal (s) that gain a foothold? Is it the organization who stored that data? Or is it on the individual to prevent account compromise? While it’s harder to prevent criminals’ intentions, particularly on criminal forums, it is, to some extent, both the individuals and organizations mutual obligation to prevent account takeover.
Becoming truly resilient to account takeover requires a shift in behaviors and practices, both from the organization and the employee. We suggest considering the following tips:
Digital Shadows SearchLight™ uses a combination of proprietary technology and closed source expertise to:
If you would like help with account takeover prevention, we’d be happy to arrange a customized demo. Request a time to chat with our team here 👇👇👇
To stay up to date with the latest security research and news, subscribe to our email list below.