[Sentry MBA Combolist 37K USA
Facunda Ganesh
There are several Discord servers that host discussions relating to cracking. Some Discord servers serve as official channels attached to online cracking communities such as Nulled or even as a spillover community for darknet market users. Many of these servers host discussions related to broader hacking topics, including cracking, while some are specific to them. Many of these communities serve as a platform for vendors to sell custom configs, combolists, and tools for the purpose of account takeover.
The sale of taken-over accounts is a popular and lucrative game. The tools, methods, and means used to achieve credential stuffing have evolved significantly in the last couple of years. But we also see criminals using older tools that still work well. For example, ever-popular credential stuffing tool Sentry MBA includes features such as OCR (optical character recognition) functionality to bypass captcha challenges.
So how can you tell where credential stuffing attacks are coming from? Although they can be masked, many tools (like Sentry MBA and Vertex) have default user agent strings that may be left in your web server logs. Credential stuffing attacks that originate from a device controlled by the less-sophisticated botnet herder themselves may also leave the same user agent string at least most of the time. Botnets that attack from tens of thousands of different proxies and use a plethora of different user agents will still attack en masse in a manner that makes it a dead giveaway. But blocking these attempts requires more sophisticated, heuristics-based tools designed to recognize not only signatures, but behaviors.
A newer account checker, called SNIPR has become more popular within the credential stuffing community. SNIPR is a stand-alone tool that is not a mod of a more popular tool like Sentry MBA. SNIPR represents a new, more sophisticated generation of credential stuffing tools.
SNIPR features innovations that enhance user friendliness and detection evasion. In addition, it comes pre-baked with built-in configurations that are able to target popular websites, such that even low-skill criminals can operate the tool without building and uploading configuration files required for tools such as Sentry MBA. Users can still do this of course, but configs for many popular targets are built-in. These files typically include information such as target URL, user agent, and additional information required for targeting. SNIPR works both online and offline credential stuffing attacks.
OpenBullet is a relatively new credential stuffing tool that, like SentryMBA, Vertex, and others, performs multiple tests against a targeted application. The tool can also be used for scraping, parsing, and penetration testing besides its use as an account checker.
OpenBullet has its own dedicated forum, which offers the latest version of the tool for download but cautions that it is not a cracking forum. There are several cracking tutorials on YouTube, cracking communities, and other hacking forums that instruct users on how to use the tool for the purpose of unauthorized account takeover.
In one cracking community, a user commented that OpenBullet is better than Sentry MBA and SNIPR because their configuration files are outdated, and that few make configuration files for these tools anymore. While configs for Sentry MBA, SNIPR, and other well-known tools can still be found within cracking communities, there is a new and noticeable trend for OpenBullet configs as well. OpenBullet configs for services such as Netflix, Microsoft Azure, IMVU, Scribd and other services are for sale on cracking forums.
Like Sentry MBA and other tools, custom configs and URL inputs can be found being traded and sold within cracking communities for the purpose of account cracking. Common targets for Private Keeper seem to include popular online video games and streaming services.
Several custom standalone account checkers exist that have been distributed throughout various underground forums. Tools like these exist in multiple languages and may target specific services, or focus on certain features such as usability or evasion detection.
We see the familiar functionalities to upload combolists and proxies. A statistics bar shows the statistics of ongoing attacks, including errors, uploaded proxies, uploaded accounts, good accounts, bad accounts, captchas and errors.
These tools are coded using a multitude of different tools, or may include mods to existing tools. They are frequently seen for sale or trade on popular dark markets or within online cracking communities.
On average, attackers are seeing up to a 2% success rate for gaining access to these accounts simply due to password reuse. This may sound like a relatively insignificant proportion, but it equivocates to billions of dollars worldwide in automated fraud losses.
1. A 3rd party breach occurs, credentials are leaked, or site is compromised in some way. The breached data is then posted to public paste sites, sold in bulk on underground marketplaces, and/or traded and advertised in underground forums.
2. A threat actor acquires leaked username and credentials directly from the breach or from purchasing/trading in the underground. Some underground websites even advertise the expected success rates of their credential lists.
3. The attacker uses automated credential stuffing tools, sometimes via botnets, to test the stolen credentials against many other sites (to name a few: social media sites, retail organizations, loyalty programs).
This honor system has helped create self-sustaining micro-markets for the creation and trade Sentry MBA config files and combolists . There are also marketplaces dedicated solely to the sale of Sentry MBA inputs. These often require use of a bitcoin wallet to purchase inputs.
The tool was originally released on MediaFire on April 7, 2013 and advertised on several cracking sites. Like Sentry MBA and Vertex, Apex Cracker also requires a config file, combolist and proxy list in order to work.
Wordlists and compromised lists of email address and password combinations are the foundation for credential stuffing operations. Many multi-million record data leaks in circulation on the darknet like Collection #1-5, RockYou, and the Compilation of Many Breaches (COMB) make potential username/password combinations easily discoverable and exploitable at scale. Such leaks are utilized as input for credential stuffing scripts and applications. Wordlists are also in regular circulation amongst darknet threat actors, and some are already integrated into Linux distributions favored by pen-testers and hackers alike.
Links to wordlist text files and wordlist generators are shared across darknet forums and chatrooms that facilitate ATO and many of them are hosted on Github. As of time of writing, there are over 5,000 repositories containing wordlists on Github alone. Dictionary lists in English are the most common, but other languages are also available.
Scalable exploitation of stolen or compromised data will persist and we anticipate the development of more sophisticated automation utilities and maintenance of existing lists to continue. Since offensive security specialists will also continue to develop and utilize wordlists for their network vulnerability assessment activities, cybercriminals will leverage these where available. Anything that is readily in use for offensive security purposes will also be exploited for malicious gain.
Accounts are further advertised as high quality (HQ) or ultra-high quality (UHQ) with and without two-factor authentication (2FA) or described as full access (fa) indicating that some additional personally identifiable information (PII) is available to maintain persistent access the online account. Accounts for popular online commercial applications, email providers and streaming services are compiled and sold in bulk for a higher price. Some accounts sell for as little as $1.50 USD per account and combos in higher volumes, e.g. 100,000 accounts for Hotmail or Outlook for 100 Euros.
Defensive security measures like multi-factor authentication (MFA) provide some degree of protection against account takeover using a compromised server username/password combination. Unfortunately, one cannot assume MFA is 100% effective at protecting the victim account from an ambitious cybercriminal. Many individuals disregard exposure in a combolist with such security measures in place, and will not even bother to update the account with a new more complex password. The flaw in this logic is that once a combo has been verified, especially for a target with high probability of financial or information return, such as blackmail or extortion crime, then a cybercriminal will willingly purchase the combo with more malicious intention. Using an exposed combo for a personal email account like Yahoo facilitates additional targeted phishing or social engineering on social media or other platforms to obtain additional PII to bypass MFA, e.g. security question answers, seed phrases, mobile phone numbers, and digital identity authenticator tokens.
While a simple commercial combolist and verified accounts appear for free or even relatively cheap in the darknet marketplaces, accounts with potentially higher financial return like validated accounts from banking or financial institutions and cryptocurrency wallets trade at significantly higher prices. One user on Telegram advertises individual Coinbase accounts for sale at $60-100 USD depending on the value of the wallets. Even cold wallets have been successfully compromised using sophisticated social engineering methods that cyber fraud criminals pride themselves on.
While credential stuffing as a technique is not new, the new tools and tactics that are emerging are increasingly sophisticated. As ransomware attacks have become more frequent in recent years and continue to be on the rise, the availability of leaked credential and user data has as well. This ultimately makes credential stuffing even more efficient as a means of brute forcing account takeovers, as there is more data for hackers to cross reference and attempt to use to gain access.
795a8134c1