The Account Takeover Kill Chain: A Five Step Analysis
July 30, 2019
It’s no secret that credential exposure is a growing problem. Take a look at Troy Hunt’s https://www.haveibeenpwned.com – a tool that allows users to search whether accounts have been exposed in a data breach – and it’s hard not to ignore the fact that the database includes over 8 billion records. Digital Shadows’ breach repository alone has up to 16 billion credentials – and there’s no reason to expect these numbers to start shrinking any time soon.
While Troy’s site doesn’t provide any passwords, the reality is that most of these sit somewhere online – on the open, deep or dark web. Credentials like these often experience a full lifecycle, starting with the initial gathering phase, and only becoming public knowledge towards the tail-end of their usefulness; a fact we described in our webinar Harnessing Exposed Data to Enhance Cyber Intelligence. Left in the wrong hands, *cough* cybercriminal *cough*, this exposed data can lead to the wrong kind of activity: malicious account takeover (ATO).
In our Photon Research Team’s recently published report Two-Factor in Review, we coined account takeover as “the process of gaining access to a victim account, often by compromise or credential re-use”. ATO can affect both individuals and organizations: For individuals, when a cybercriminal successfully performs account takeover, this could result in identity theft or financial fraud; For organizations, data breaches, system compromises, as well as financial losses and reputational damage are all possible outcomes. Regardless of who’s being targeted, account takeover fraud is costly, with losses in the US mounting to $5.1 billion dollars in 2017 alone.
As it states on the tin, Photon’s recent assessment explores the most popular mitigation tool to prevent account takeover: two-factor authentication (2FA). Here, we review account takeover from the perspective of the cybercriminal: why and how do cybercriminals perform ATO? While 2FA has proven itself to be an effective mitigation tool in preventing account takeover, this mitigation tool should be adopted alongside other best practices and security measures, which we provide at the end of the blog.
Don’t Pwn Me, Bro: The ATO Kill Chain
Taking over an account is like breaking into a house; criminals typically have a good idea about what they’re trying to steal ahead of time by casing a target, doing some reconnaissance, but they have to get inside first. We identify how cybercriminals launch this kind of digital B&E (“breaking and entering” for all you non-criminals out there) codifying this into five distinct steps: reconnaissance, acquisition, username enumeration, verification and authorization, and exfiltration.
Figure 1: The 5 steps of the Account Takeover Kill Chain
Reconnaissance: Cybercriminals on the lookout
The first step in an attack typically involves a stage of reconnaissance, and for ATO attacks, threat actors will be scoping out where they will actually be using the accounts they plan on stealing. Attackers will determine a target site, or multiple sites, and begin mapping out login portals that require usernames and passwords, and other pages on domains that requires valid credentials to access. For example, a social media site or an online banking portal; at this stage an attacker may enumerate the subdomains of a domain to find login pages, or take note of the types of technologies running on the website that could be vulnerable to certain exploits or credential attacks. Using a tool like Sublist3r can quickly and easily provide the user with subdomains that could be used to log in to services or websites.
Figure 2: Screenshot of a Sublist3r query (source: github.com/aboul3la/Sublist3r)
Acquiring the keys to the kingdom
A cybercriminal may rely on a number of methods to access an account, which range from the use of phishing, malware, breached credentials databases, to the sale of private or bulk credentials (usually found on criminal sites). The method employed may, to some extent, vary by the attacker’s preference – but some resources make account acquisition much easier. One option – as the Photon research team recently identified in our Too Much Information: The Sequel research – is using the proliferation of exposed files on misconfigured devices to an attacker’s advantage. The report found a total of 2.3 billion files including sensitive information like password lists to be easily accessible via various online file stores. Other factors driving account acquisition include: password reuse, targeted phishing, sale of credentials on criminal forums and the use of credential harvesting bots.
Account takeover can also result from spear phishing campaigns – a form of phishing that targets a specific individual or organization. Depending on the execution, a spear phishing campaign can lure individuals into a false sense of security, posing as a trusted source. The success of the campaign depends on whether the targeted employee clicks on a link and attempts to sign into the spoofed service, which results in the inadvertent exchange of account information.
Credential stealing malware is also a common tool used by criminals to gather credentials from systems which have been infected. Variants like Pony or TrickBot are more of the well-known variants, though the technique can be seen in dozens of variants within the threat landscape. Attackers need not develop their own either; access to certain variants can be purchased online, some even operating as a Malware-as-a-Service. Others can be found on criminal marketplaces like the Goznym banking trojan, which has the ability to harvest credentials and collect payment information from point of sale systems.
Figure 3: Goznym banking trojan for sale
For the less technical threat actor who may not know how to put together a phishing campaign or use malware effectively, there’s a pay-to-win option. Criminal forums like CrackedTO, Nulled, and RaidForums and Automated Vending Carts like Joker’s Stash and Empire Market have dedicated spaces that sell personal data, be it compromised accounts, payment card details, or other personally identifiable information.
Figure 4: Front page listings on Raidforums
It’s not only credentials that enable account takeovers; the Genesis Marketplace sells system fingerprints which essential act as a technical “mask”, impersonating a specific account’s technical indicators. Genesis market differs from other services typically offered criminal forums in that it provides specialized goods: bots that claim to bypass fingerprinting controls. Sold for as little as 50 cents, it’s bot technology provides customers with a wide range of information such as fingerprints, cookies, logs, saved passwords, and personal information. Essentially, if a cybercriminal purchases one of these bots, they could acquire an individuals account information simply by impersonating a victim’s browser activity.
CaaS: Combolists-as-a-Service has joined the party
While criminal underground sites are rife with combolists for sale, the Photon team identified a new approach to the sale of combolists: combolists-as-a-service.
Scanning chatter on underground cracking sites, we identified threat actors on the cracking forum CrackedTO actively branding and marketing combo-lists, as if they are tradable commodities. For instance, we identified one user on the cracking forum cracked.to, promoting their service datasense – a “cloud based combolist and database provider”.
According to the post, DataSense provides users with up-to-date combolists and a self-proclaimed “quality product”. Like most marketing narratives, the advertisement goes on to list why users should choose this service, highlighting that the team is made up of “experienced crackers..who use years of dorks and cracking experience”. Such experience, allegedly, delivers the “best databases”.
Figure 5: DataSense advertisement on cracking forum
In addition to the benefits, the ad also offers a subscription package, in which users can pay $50 (using Paypal, bitcoin or other cryptocurrencies) which entitles the users to 30 days access to the product. It’s unconfirmed which combolists are available via the advertised service, as you need to pay and register via the website datasense[.]pw, but the post implies it offers Amazon, Electronic Arts’ Origin, Ubisoft’s uPlay, Netflix and Steam accounts.
DataSense is not alone in this combolist market though, with other players jumping on the bandwagon, too. Take for example the site databasehub[.]co – a site which describes itself as the ‘next generation combolist provider’. DatabaseHUB uploads combolists everyday to its site, which cover categories such as gaming and cryptocurrency, details of which were pulled from it’s Shoppy page.
Figure 6: A screenshot of DatabaseHub
After registering for an account, combolists are displayed – but in order to receive the data users are drawn to purchase a token (valued at $10.99 via Shoppy). By purchasing the token, as DatabaseHUB’s Shoppy page highlights, you’ll be able to generate up to 5 combo lists per day during the 30 days.
Figure 7: DatabaseHUB advertisement on Shoppy
For cybercriminals, the dedicated subscription-style combolist services offer a one-stop shop for combolists. This type of one-stop combolist shop attempts to streamline how cybercriminals obtain combolists. Rather than purchasing combolists individually, dedicated services automate the process.
What’s more, these CaaS’s even mark a shift in cybercriminals’ distribution tactics. Traditionally, cracking forums have been used to advertise the sale of combolists and then used to distribute the goods. However, the above examples suggest that cybercriminals are leveraging multiple services, such as Shoppy and personalised web pages, alongside the underground forums to promote their services. It remains to be seen whether this kind of service will take off among the community, but Photon will be sure to stay apprised of the updates.
“Invalid username/password. Please try again.”
Been in a position where you’ve forgotten login details? It’s likely that the site has informed you that one element of the login is correct, and the other is incorrect. This might spur you to take a second guess: “Oh, I know! It’s not that username! I’ll try another.” To you, this process is wholly innocent, the login is like a school test – it’s testing your memory. While innocent for the account holder, attackers can exploit this indicator, probing the site in order to determine the formats or to check for the existence of certain usernames themselves. Misconfigured settings for a login portal may expose certain verification details, providing contextual clues about whether a username exists within the targeted system. Testing the login service or site ahead of time can provide valuable details to an attacker who can then tweak the settings within their tools, or edit certain formats of the usernames being tested.
Figure 8: Example of improper credential validation messages
Verification & Authorization: Conducting ATO at scale
Now that the attacker has access to the credentials, whether that’s through a service like DataSense or other means of acquiring the data, one of the most common ways attackers can conduct their account takeovers at scale is with the help of credential stuffing tools. Though there are several tools available, we’ll highlight some of the main ones below.
This process typically relies on people reusing their passwords across multiple services. In February 2019, a joint survey conducted by Google and Harris Poll found that almost two in three people recycle the same password across multiple accounts. Why? Well, the average business user has 191 passwords, so keeping mental notes of these password may feel like playing a brain game and as a potential shortcut, employees may use re-use logins. For an organization, this malpractice causes significant security issues for organizations, as criminals may identify instances of password reuse in order compromise further accounts. Cumbersome as passwords may be, using unique passwords for all accounts is something we emphasis enforcing – and we’ll build on these mitigation later.
SentryMBA is a free and publicly available credential stuffing tool, typically used by threat actors to automate the account takeover process by trying numerous credential combinations against online login portals. It’s most often used at the verification stage of the kill chain we outlined earlier. The tool has functions to mitigate traditional online login-form security controls, such as IP address rate limits and blacklists, and can bypass CAPTCHA controls to impede automated interaction. It attempts to bypass these controls by using Optical Character Recognition (OCR) software and other mechanisms to read and solve CAPTCHA challenges.
SentryMBA is loaded with configuration files that are used to direct the tool and dictate what credential combinations are to be used. The configuration files include a credential combination list (which can be purchased from criminal forums or gathered by credential stealing malware), a proxy list (encompassing compromised hosts or botnets) to bypass some security controls, and a configuration file of HTML elements that help SentryMBA navigate the unique characteristics of the site being targeted (including the URL of the login page). The tool exploits the use of weak password practices, as it uses previously leaked credential combinations as part of its attack strategy.
Figure 9: SentryMBA in action (source: F5 Networks)
SNIPR is a tool that automates credential stuffing processes. It was created by the online alias PRAGMA, functions very similarly to SentryMBA, and has existed since April 2017. Although SentryMBA is deemed the “gold standard” of credential stuffing tools, SNIPR brings its own unique benefits and is advertised across several criminal and cracking based forums, coming pre-installed with a variety of pre-built configurations for popular sites, including requested URLs, user agent strings, data capturing from requests and the correct order of authentication. Added to this is an in-built mechanism for public proxy scraping or the ability to import specified lists. These characteristics indicate this tool is aimed at all skill levels, therefore enabling users with little to no historical credential stuffing experience simply being able to activate and execute the tool if so desired, whereas, it also allows for greater customization and configuration for those with advanced experience.
Figure 10: Advertisement for SNIPR posted on criminal forum (Source: Raidforums)
Another tool that could be incorporated into a credential stuffing attack is a Python script called Cr3dov3r, which is used to help credential reuse attacks and to find passwords from security breaches. The tool generates “true results”, which means any email address entered in the tool is searched across genuine online resources, such as HaveIBeenPwned.com, and then if your address has been included in a breach, the tool attempts to ascertain associated plaintext passwords. Subsequently, the tool checks seven popular websites (e.g. Facebook, Twitter, Google) to determine whether the login is still valid and working or whether CAPTCHA is blocking the way.
Figure 11: Example of Cr3d0v3r in action
Mission complete: exfiltrate your prize
At this point the damage has been done, the account has been compromised and the attacker will look to extract information or even move funds. This is another important step within the ATO kill chain as the attacker’s true motivation will reveal itself. Whatever that attacker does while in control of that account is valuable knowledge for incident responders or threat hunters who will try to put new defenses in place to prevent this kind of attack from taking place in the future. In the present though, attackers have been observed stealing intellectual property, financial records and information, or other sensitive company documents.
ATO can also enable further types of attacks to take place; one main example is business email compromise (BEC). If the account for a high-level executive is compromised, a common technique criminals will carry out involves emailing certain people within the organization, typically within the finance areas of the company, with a time-sensitive requirement urging them to do something quickly. As humans, we’re generally helpful by nature (especially when it comes to our bosses or our bosses’ bosses); a fact which threat actors are more than willing to exploit.
Understanding the impact – why businesses need to care
While the kill chain can visualize how cybercriminals takeover accounts at a granular level, it fails to address the business impacts of this life cycle. In particular, who is affected and how much damage has been made. For businesses, as we echoed earlier, account takeover is financially costly. This point is more poignant in a world of GPDR, with organizations facing unprecedented monetary fines under the data protection act. While monetary penalties are the more obvious cost to an organization, there are several other less tangible – though equally detrimental – impacts.
- Reputational damage
- Loss of customer relationship
- Potential Loss of employee data
- Identity theft
- Reputation and security
7 ways to combat ATO
When it comes to account takeover, who should be held accountable for the unauthorized access to the victims’ accounts? Is it the criminal (s) that gain a foothold? Is it the organization who stored that data? Or is it on the individual to prevent account compromise? While it’s harder to prevent criminals’ intentions, particularly on criminal forums, it is, to some extent, both the individuals and organizations mutual obligation to prevent account takeover.
Becoming truly resilient to account takeover requires a shift in behaviors and practices, both from the organization and the employee. We suggest considering the following tips:
- Monitor for leaked credentials of your employees. HaveIBeenPwned is a great resource for this, alerting you to instances of breaches including your organization’s email domain.
- Monitor for mentions of your company and brand names across cracking forums. Use Google Alerts for this – Johnny Long offers some great tips for doing so (http://www.mrjoeyjohnson.com/Google.Hacking.Filters.pdf) and Google alerts can provide a good identification of the specific risks to your business. Configuration files for your website that are being actively shared and downloaded are a good indication of impending attempts at account takeover.
- Monitor for leaked credentials of your customers, allowing you to take a more proactive response. Consider alerting your customers that their email has been involved in a breach, prompting them to reset their password if they have reused credentials.
- Deploy an online Web Application Firewall. Commercial and open source web application firewalls, like ModSecurity, can be used to identify and block credential stuffing attacks.
- Increase user awareness. Educate your staff and consumers about the dangers of using corporate email addresses for personal accounts, as well as reusing passwords.
- Gain an awareness of credential stuffing tools. Keep an eye on the development of credential stuffing tools, and monitor how your security solutions can protect against evolving capabilities. Some credential stuffing tools are able to bypass some CAPTCHAs, for example.
- Implement multi-factor authentication that doesn’t leverage SMS. This can help to reduce account takeovers, but make sure this is balanced against the friction (and cost) it can cause. The Photon Research team has produced a report, Two-Factor In Review: A technical assessment of the most popular mitigation for account takeover attacks, detailing the technologies involved with 2FA, attacks against the solution, and ways to mitigate them.
How Digital Shadows Can Help
Digital Shadows SearchLight™ uses a combination of proprietary technology and closed source expertise to:
- Detect employee credentials that have been exposed in third party breaches
- Find inadvertently exposed credential by developers or third parties on code-sharing and paste sites
- Uncover phishing attempts to catch the campaigns before they target you
To stay up to date with the latest security research and news, subscribe to our email list below.