Hacking online accounts is becoming easier, cheaper, more available, and more profitable. Every day, cybercriminals steal funds, personal information, sensitive documents, and more that are increasingly stored in the cloud today due to the shift to remote work and learning.
Since new entrants to business in the cloud often lack the expertise and security infrastructure, they are prime targets for cybercriminals who conduct fraud and account takeover (ATO).
Once an organization’s account is hacked, the criminals can proceed with various scenarios. Adversaries can steal sensitive information and either release it publicly to damage the organization’s reputation or sell it. On the dark web market, the average cost of one banking account can range from $70 to upwards of $500.
Bad actors can also encrypt the data by using ransomware and demand payment for decrypting it. Recently, Acer was hit by such an attack and faced a $50 million ransom demand – the largest to date.
The spike in account takeover and remote work
Multiple independent studies showed a sharp increase in criminal cyber activity in 2020.
A 2020 Digital Trust & Safety Index report by Sift found that ATO attacks have spiked by 28%2 between Q2 2019 and Q2 2020. Likewise, according to Verizon’s 2020 Data Breach Investigations Report [PDF], over 80% of breaches related to hacking involved brute-force cracking or credential stuffing attacks in which attackers use lost or stolen credentials.
An increase in remote working calls for a higher level of cybersecurity. Remote workers are at greater exposure to cyber risks while working at home with nearly half of them falling for phishing scams. Video conferencing is a biggie here which boomed in 2020. Over half a million Zoom users lost their personal data during video conferencing (name, passwords, email addresses) between February 2020 and May 2020.
For cyber-attackers, the pandemic is an opportunity they can’t miss, one that brought them billions of successfully stolen credentials in 2020.
And, of course, they tirelessly come up with ever more sophisticated tools that will evade most detection, except for the most advanced, state-of-the-art solutions about which we will talk at the end of this article.
Overview of tools and techniques for ATO
Gathering those billions of credentials is impossible without automated tools.
In their arsenal, attackers have tools called “account checkers” that they use to figure out which pairs of credentials are valid and can later be used in credential stuffing tools. Examples of account checkers are Brute, SNIPR, and Checker PSN 1.0.
Next, bad actors have brute-forcing tools to perform a large number of inputs automatically in order to guess the right combinations of credentials. These tools can eventually crack accounts of banking apps, e-commerce services, video games, social media, VPNs, proxy services, etc.
Private Keeper is a good example here.
While credential stuffing automators [PDF] allow criminals to do automated login attempts at hundreds of platforms to check if the target has an account there. Credential stuffing differs from brute-forcing in that it uses password lists randomly to guess a successful match. Credential stuffing tools use a predetermined list of access credentials sourced from previous data breaches or leaks or bought online. Examples are Vertex and Sentry MBA.
Finally, there are next-generation tools that leverage the power of botnets and outsourced computing power to take account cracking a step further. They often rely on cloud computing and even IoT devices and are harder to deal with. Less-sophisticated botnets are easier to block because they will use the same IP address and user agent and leave a fat trace of automated and unsuccessful login attempts in system logs. Network administrators can block those IPs by creating traffic rules.
The rise of OpenBullet
For a long time, Sentry MBA was the most popular credential stuffing tool. But since April 2019, we saw a new tool, the popularity of which quickly grew. In 2020, 35% of references on criminal forums were in relation to this tool which quickly became the most popular.
This new player is OpenBullet. It is a suite of legitimate tools for website testing and can be used for such legit tasks as scraping and parsing data and automated penetration testing. But for cybercriminals trying to explore ways to compromise their target, this open-source penetration testing tool has become a one-stop-shop for credential stuffing or fake account creation.
The popularity of OpenBullet is mainly due to its open-source status – it’s freely available on GitHub. Besides that, it is continuously updated with new features, offers the ability to customize configurations, and is frugal in CPU usage. Having the ability to download new or customize existing configurations allows hackers to get around nearly any organization’s defences if they really want to.
There are OpenBullet configs for almost any popular service including Netflix, Microsoft Azure, IMVU, Scribd, etc. available for sale on cracking forums.
OpenBullet is particularly popular with newbies who can use it by simply following step-by-step instructions readily available online.
It is supported by an active, dedicated community of builders and users.
Many organization still reply on the first-generation protection solutions which are ineffective against OpenBullet that is particularly good at evading detection.
Another problem is that bot detection solutions require protection in place for every entry point. If even one entry point or API is left exposed, criminals will eventually detect it by methodically testing endpoints with, for example, OpenBullet.
Protecting your customers and yourself
There is much advice online about the importance of authentication methods like password storing solutions, CAPTCHA, and 2FA. But they are not a panacea. Attackers have proven once and again their ability to beat these mitigation methods.
Cybercriminals can bypass these by using human-assisted solving services, machine learning solutions, and automated tools (Anticaptcha, Buster, Sentry MBA) with optical character recognition modules, among others.
SMS message-based 2FA has been facing a lot of criticism for being too easy to bypass. Attackers can use SIM-jacking/SMS hijacking, for example. In this attack, cybercriminals fool mobile network providers to transfer a victim’s mobile service to an attacker-controlled SIM card and in this way, get any 2FA codes. Other attacks involve SS7 hijacking and special malware like Cerberus that has the ability to bypass Google Authenticator.
What to do then?
Protecting against ATO involves raising the security culture at an organization and adopting the latest in technology.
It starts with simple things like implementing multi-factor authentication that doesn’t rely on SMS. Continues with education about the importance of using long, strong, and randomly-generated passwords and never reusing them in other accounts. QNAP recently warned if owners of its NAS devices use simple, weak, or predictable passwords hackers can easily gain access to the device and hijack data.
Yet, the best strategy for preventing ATO is to be proactive and perform continuous monitoring for compromised credentials both on the surface web and the dark web.
Dark web monitoring is especially powerful because it allows for the automated and covert gathering of cyber threat intel from the places where threat actors dwell – dark web fora, marketplaces, and closed hacker communities. It can alert you about references to your company, specific brand names, configuration files for your website, etc. on cracking forums which may be signs of impending ATO attempts.
Cybercriminals recognize that the data security measures currently in place are not sufficiently robust. Most of these threats have intensified because of the opportunities that have arisen during the COVID-19 outbreak.
Brute-force, cracking tools, account checkers, and credential stuffing tools like the now “industry standard” OpenBullet are the cornerstones of most ATO operations.
Being fully protected from ATO requires a shift in practice from an organization’s decision-makers and employees and being proactive in your defence strategy. Educate yourself, your personnel, and consumers about all the dangers related to ATO. It pays off investing in the right threat monitoring solution that will alert you early about IoCs, threat indicators, possible vulnerabilities, etc. so that your organization can remediate them before the attack even takes place.