You know how we're all supposed to automate now? Dark web devs were listening

RSA 2016 Security researchers have thrown the spotlight on a popular cybercrime tool that’s used by crooks to automate the process of taking over accounts on major websites before making fraudulent purchases.

Sentry MBA, which is readily available online, offer a way to break into accounts via a point-and-click utility. The tool makes cybercrime accessible to legions of aspiring attackers across the globe and removes the pesky need to learn the coding skills needed to hack into websites through exploiting SQL injection flaws or other vulnerabilities.

Finding website vulnerabilities takes technical skills and it’s a far easier proposition to just hijack a few user accounts. Websites' data breaches mean that many credential lists available for sale or already in the wild. Password reuse means that many consumers use the same login credentials on multiple websites.

Crooks are unlikely to know which consumers have been sloppy with their passwords, much less which higher value accounts these login credentials might unlock. Sentry MBA gets around this problem by creating a means to launch brute force attacks.

Numbers game

Any long list of stolen credentials will almost certainly include many that open accounts on the sites coveted by hackers. Sentry MBA automates the process of testing millions, or tens of millions, of compromised username/password combinations to see which ones work - a task that would be impossibly time-­consuming without automation.

Three things are needed to launch a productive Sentry MBA attack:

• a “config” file to help Sentry MBA navigate the unique characteristics of a targeted site,
• a “combo” list of username/password, or email/password, combinations a would-be cybercrook would like to test¹, and
• a “proxy” file, a list of compromised hosts (also known as proxies or bots) that Sentry MBA uses during the attack. Proxies help the attacker evade website defences, such as captchas, by spreading login attempts across many sources.

Each of theses three items in the witches' brew can be found on the open web, obtained through SQL injection attacks, or purchased from Sentry MBA resellers in cybercrime forums, according to Shape Security:

The open web and dark net are filled with forums offering working config files for specific sites, combo files containing credentials from the latest online breach, and proxy files of bots that haven’t been blacklisted. These underground markets, combined with automated tools like Sentry MBA, create a new cybersecurity reality where devastating online attacks can be launched by any individual with minimal resources.

Once crooks have obtained a list of functioning login credentials at targeted retailers, they can use the information to order high value gadgets using the victim’s stored credit card number before changing the shipping address, allowing crooks to recover the goods or get an accomplice to collect it for them. These knock-off goods would then be sold on for cash.

“Once you’ve maxed out one credit card, just rinse and repeat for all the accounts you cracked,” according to Shape Security. In practice, receiving stolen goods in this way in the riskiest part of the operation for more skilled crooks and carries a substantial risk of tracking and arrest, hence the use of mules to receive and forward goods as part of better organised scams.

Fraud might be detected and stopped at various stages of a fraudulent transaction. Even so, preventing hackers getting into accounts in the first place is obviously undesirable. Data from Shape Security shows there plenty of malfeasance using Sentry MBA going on.

Sentry MBA is a potential menace to any site with valuable data behind its login page. In some cases gamers use the tool to crack into accounts on online gaming websites. Tutorials and YouTube videos (example below) on how to use Sentry MBA are easy to find online.

Brute force

Shape Security’s technology protects banking, retail, healthcare, and government sites from automated (brute force) password guessing attacks, which are commonly run using tools such as Sentry MBA. Shape’s technology protects websites and mobile applications by detecting and preventing automated account breaking attempts.

Analysis by Shape Security of a sample of customer data consisting of six billion login and search page submissions from December of 2015 through January of 2016 found that Sentry MBA attacks were commonplace.

For example, cybercriminals made nearly four million login attempts at a major global bank in four separate attacks over a three-day period. These attacks enlisted over 200,000 proxies located in Russia, Vietnam, Mexico, China, and the US.

Separately, two major breakouts in early December highlight how cybercriminals are turning their attention to mobile APIs. The first attack, focused on the target’s traditional website application, made over 30,000 login attempts using proxies located in Russia. The second attack, focused on the target’s mobile API, made an average of 15,000 login attempts every day for seven days. Both attacks shared 220 proxies, evidence the same miscreants may have been responsible for both attacks.

By reducing the level of technical skill needed to mount a cyberattack, Sentry MBA brings down the skill level needed to run damaging attacks down to point-and-click levels. The marketing of Sentry MBA shows how cybercrime more generally is becoming increasingly compartmentalised and commoditised, Shape Security concludes.

Research on the abuse of Sentry MBA was published in time for the RSA Conference in San Francisco on Wednesday. ®

Bot-note

¹ “Combo” lists often include credentials harvested from breaches at other online locations.