Account takeover (ATO) has become a serious issue for many organizations. Digital Shadows (now ReliaQuest) has identified over 15 billion credentials circulating across dark web marketplaces. A whopping 5 billion of those are unique – the kind of stuff that sends shivers up a security practitioner’s spine, right? ATO manifests itself through several methods such as harvesting, buying, and renting credentials, or even re-using freebies. While some methods are easier than others and have a lower barrier to entry, let’s lift the lid on the sophisticated ATO attacker’s toolkit and see what you should be concerned about.

Brute-forcing versus Credential Stuffing versus Checking

Before we get started, and to make sure we’re all on the same page, let’s outline some definitions:

  • Brute-forcing is a trial-and-error method where attackers, quite literally, force their way into an account by inputting letters and numbers into a login field to find credentials. This can be done manually or with a program (aka a brute-force tool).
  • Credential stuffing is a subtype of brute-forcing that uses password lists to gain access to an account. Just like brute-forcing, attackers still force their way in; however by using this method, they have a list of passwords to pull from.
  • Account checkers are tools that are used to rapidly determine the validity of a credential pair for a specific account. Before attempting to sell or disperse login data, cybercriminals will commonly confirm that their harvested credentials are legitimate; account checkers help with this cause.

Alright, let’s get to it.

Brute-force, cracking tools, and account checkers

Brute-force, cracking tools, and account checkers are the cornerstones of many account takeover operations, reliably enabling attackers to get their hands on even more of your data. They’re automated scripts or programs applied to a login system―whether it’s associated with an API or website―to access a user’s account. Although some attack campaigns using these tools may be subtle and hard to detect, others are much more overt and resemble distributed denial of service campaigns.

Criminal operations using brute-force cracking tools or account checkers may also take advantage of IP addresses, VPN services, botnets, or proxies to maintain anonymity or improve the likelihood of accessing an account. Once they’re in, they can use the account for malicious purposes or extract all of its data (potentially including payment-card details or PII) to monetize it.

Figure 1: Advertisement for a bank login brute-force cracking tool on Empire

The Photon team found a myriad of brute-force cracking tools and account checkers available on criminal marketplaces for an average of just $4. Some advertisements were super vague―“USA Bank login Cracker Bruter”―but others were obviously targeting a specific service, like Hulu, Minecraft, or Spotify. Most of the tools didn’t seem to be named, but some listings claimed to include the Burp Suite Professional application security testing software, Hydra login cracker, Zeus and WarBot botnets, and Sentry MBA account cracker.

Based on their descriptions, these tools can “crack” accounts associated with banking, video games, e-commerce services, social media, streaming, VPN accounts, and proxy services. The only items required to conduct ATO with these tools are a proxy and an email address or username and password combo list―which, as we said above, can be easily purchased or acquired for free on a criminal marketplace.

Figure 2: Average price of brute-force cracking tools by industry they’re used to target
Figure 3: Prevalence of brute-force cracking tools by targeted industry
Figure 4: Advertisement for a brute-force cracking tool on Empire

Tools of the trade

If an attacker acquires a list of credentials that have been exposed in breaches, what do they do next? Well, credential stuffing attacks are undeniably popular and push ATO to the next stage by opportunistically providing initial access to accounts. These attacks are typically automated login attempts that use a predetermined list of access credentials—often, combinations of usernames or email addresses and plaintext passwords—sourced from previous data breaches or leaks. Credential stuffing differs from brute-force cracking, which uses password lists or other resources to guess a successful match.

Figure 5: References to credential stuffing tools across criminal locations, January 2020-June 2020

Threat actors are always advertising new tools across criminal locations―dark web pages, forums, chat platforms―to dig up and reuse credentials. Here are some of those trending in 2020.

Figure 6: Private Keeper user interface

Private Keeper is a tool used across Russian-language cybercriminal platforms, developed by a threat actor who goes by deival909. Initially created as a brute-force cracking tool, the software underwent several changes during its development, enabling users to create and configure their own brute-force crackers and utilities with the help of in-line technology. Private Keeper contains a utility for collecting private proxies from other private services and provides access to multiple finished projects in an application store. Online tutorials explain how to use Private Keeper to target specific victims, such as banks and other financial organizations. 

Vertex requires users to supply a list of credentials and proxy servers, similar to Sentry MBA. Although the software is still regularly used and advertised on carding and cracking sites, it’s not as popular as Sentry MBA and has different functionality.

Figure 7: Vertex user interface

Account Hitman is not specifically a credential validation tool, but the software requires credential lists and proxy server lists to attack website login portals, similar to Sentry MBA and Vertex. The help guide, which is built into the program, likely appeals to less advanced users; Account Hitman will probably continue to be a predictable choice for novice threat actors.

Figure 8: Account hitman user interface

SNIPR was created by a threat actor known as PRAGMA. The tool has been around since April 2017, functioning similarly to Sentry MBA. SNIPR is installed with a variety of pre-built configurations for popular sites, including requested URLs, user agent strings, data capturing form requests, and the correct order of authentication. There’s also an in-built mechanism for public proxy scraping or the ability to import specified lists.

Figure 9: SNIPR user interface

BlackBullet is an increasingly popular tool, created by the threat actor Ruri and, later, released as a cracked version by “Yuki” and “Crank.” A BlackBullet user must list username and password combinations to try on a web application and a list of proxy servers. This counters organizations’ attempts to deter credential stuffing when they limit the number of attempts an IP address can make to automate account validation.

Figure 10: BlackBullet user interface

OpenBullet: Move over, Sentry MBA

Figure 11: Configuration Manager view in OpenBullet

This wouldn’t be a complete blog if we didn’t address the elephant in Figure 5 (ahem, the tool with over 1,000 mentions since January 2020). For many years, Sentry MBA has been one of the most widely used tools, and the most recognizable, in credential stuffing attacks. Sentry MBA still attracts significant interest, but a new player has entered the Thunderdome: OpenBullet. OpenBullet is a website testing suite of software that allows users to perform requests on a target web application, and it’s been gaining interest across criminal locations since early April 2019. The software was first released on OpenBullet’s Github page on 26 Mar 2019, which explains the significant increase in dark web mentions that occurred in April 2019

Figure 12: Mentions of OpenBullet across criminal forums, April 2019-July 2020

Ostensibly created for legitimate purposes, OpenBullet includes multiple tools that can be used for scraping and parsing data, automated penetration testing, and unit testing with Selenium. By comparing BlackBullet’s user interface with OpenBullet, you can see that the tools look pretty similar. Based on criminal forum users’ commentary, the programs are almost the same; however, OpenBullet has new features and different configuration types, while BlackBullet’s configurations are encrypted. Aside from continuously updated features and lower GPU-usage, the attractiveness of OpenBullet is mainly due to its open-source nature. The ability to download or customize configurations that harness the potential to get around an organization’s defenses (after some simple reconnaissance) allows attackers to adjust their attack tactics, techniques, or procedures quickly. In the simplest of terms, it’s a one-stop-shop for cybercriminals trying to explore ways to compromise their target.

Throughout our research, we identified multiple tutorials on how to use OpenBullet in conjunction with hundreds of configurations for sale. Given its popularity, it appears that someone even created an unofficial online store where cybercriminals can purchase combolists, configurations, accounts and databases, and account checkers alongside ebooks and how-to guides. While the official GitHub page for OpenBullet states that performing attacks on sites not owned by the user is illegal, I think it’s fair to assume that this tool will continue to be used for nefarious purposes. Even if OpenBullet was developed for the greater good, there’s always a way to turn it into a malicious program, and I think cybercriminals can attest to that.

Tools of another type

Just gaining access to accounts that have reused credentials is not always the end goal. These accesses can be used as pivot points to access even more sensitive information. Take, for example, the Cre3dov3r tool, which searches for public leaks related to any specified email address; if passwords are identified, the tool checks seven popular websites—including GitHub and Stack Overflow—to see if the credentials are valid or whether CAPTCHA is blocking access.

Although not a tool by itself, a code repository can be a particularly lucrative way to kick off ATO if it contains keys or other secrets that can access accounts holding even more sensitive data. As outlined in the book Hunting Cyber Criminals, several high-profile breaches have resulted from attackers brute-force cracking developer accounts on GitHub. In Verizon’s 2020 Data Breach Investigations Report, it was determined that over 80% of breaches involved brute-force or the use of lost or stolen credentials. Back in November 2019, the Photon team actually did a capture the flag (CTF) workshop that focused on this very topic: How an attacker can use open-source tools to take advantage of sensitive information inadvertently exposed on code-sharing repositories. (A recap of that event can be found here, and we also have a GitHub repository here.)

Figure 13: Cr3dOv3r screenshot of the tool in use posted on blog article (Source: kitploit[.]com)

From Exposure to Takeover

If you enjoyed this blog (and thank you for reading by the way), have a gander at the new research that Digital Shadows (now ReliaQuest)’ Photon Research Team recently released, From Exposure to Takeover: The 15 billion stolen credentials allowing account takeover. Not only do we discuss the attacker’s toolkit; we explore what ATO actually is, why it’s so attractive to cybercriminals, the methods that attackers use to gain access to accounts, the impact it has on organizations, and some useful mitigation recommendations.