Introducing Blackfish, a system to help eliminate the use of stolen passwords

Today we’re releasing Blackfish, a system that proactively protects companies from credential stuffing before an attack takes place. Normally, credential stuffing starts with a data breach at one major company (“Initial Victim”), and continues when a criminal then uses the stolen data (usernames and passwords) against dozens or even hundreds of different companies (“Downstream Victims”). Usually, many months or years pass before the Initial Victim realizes and discloses the initial data breach, and in that time, criminals are able to successfully attack huge numbers of Downstream Victims. Later, once the Initial Victim does disclose the breach, the Downstream Victims start matching the username/password pairs from the Initial Victim against their own user databases, and resetting any passwords that match. The whole process can take years and results in hundreds of millions of dollars worth of fraud and brand damage.

Blackfish changes all that. From the very first moment a criminal attempts to use stolen usernames and passwords, Blackfish begins monitoring and protecting matching accounts at other companies. So, while under normal circumstances a criminal can get hundreds of chances to monetize the stolen usernames and passwords, with Blackfish in place, criminals get far fewer chances.

You may be wondering how Blackfish can accomplish all this. Explaining that requires a little background on Shape Security.

We founded Shape six years ago to answer a simple question: is a visitor to a web or mobile app an actual human being? This simple question proved to be an important one. As we perfected our ability to answer it, we started eliminating enormous amounts of fraudulent traffic from the largest web and mobile apps in the world — often 90% or more of the login traffic from a Fortune 100 web application.

Today, we are the primary line of defense for many of the largest organizations around the world. Our customers include: three of the top four banks, three of the top five airlines, two of the top three hotel chains, and numerous other leading companies and government agencies.

We secure all of those large organizations in a centralized way, directly delivering the security outcome of eliminating fraudulent traffic. That centralized security capability is also the heart of Blackfish, and allows Blackfish to see stolen usernames and passwords in use far before anyone else ever knows about them (including the Initial Victim).

Think about it: if you were a criminal and managed to steal all the usernames and passwords from a major corporation, where would you try them out? If you’re like most criminals, the answer is that you’d try them on the largest banks, airlines, hotels, and retail sites in the world. That’s what happens in practice, and when it does, that’s also when Blackfish sees the very first such attack, and sets about protecting all username/password pairs that happen to match on other large websites.

Blackfish does all this before the original data breach is reported or even detected by the Initial Victim company.

The problem with looking for credentials on the dark web

You can scour the dark web to find user credentials, but one of the greatest dangers companies face today is the long window of time between when breaches occur on third-party websites like Yahoo, and when those breaches are discovered and announced. Instead of hoping that stolen passwords will appear in the dark web in time to be useful, Blackfish autonomously detects credential stuffing attacks on the largest, most targeted websites in the world, identifies newly stolen credentials, and nullifies them globally. That stolen data becomes useless to cybercriminals.

How does it work?

Shape has grown into one of the largest processors of login traffic on the entire web. We have built machine learning and deep learning systems to autonomously identify credential stuffing attacks in real-time. These systems now generate an important byproduct: direct knowledge of stolen usernames and passwords when criminals are first starting to exploit them against major web and mobile apps. What this means is that we see the stolen assets months or years before they appear on the dark web.

Blackfish’s knowledge base of compromised credentials is built with maximum security in mind. To ensure that its knowledge base is secured, Blackfish does not store any credential information but instead leverages Bloom filters to create probabilistic data structures to perform its operations. As a result, the compromised credentials themselves are not stored anywhere and Blackfish can use the information about compromises to improve security while maintaining full data privacy.

What good is a stolen password if you can never use it?

For better or for worse, memorized secrets (a.k.a. “passwords”) are the most widely used authentication mechanism online. As such, having access to millions of stolen passwords (over 3.3 billion were reported stolen in 2016 alone) allows cybercriminals to easily take over users’ accounts on any major website. They do this with credential stuffing attacks, which take stolen passwords from website A and try them on website B to see which accounts the same email addresses and passwords will unlock. Cybercriminals can do this reliably with a typical 1-2% success rate, allowing them to seize the value in bank accounts, gift card accounts, airline loyalty programs, and other accounts, which they can then monetize for a predictable ROI.

Since credential stuffing attacks are responsible for more than 99.9% of account takeover attempts, if we identify the stolen credentials that are used in these attacks, and invalidate them across other websites, we change the economics for cybercriminals significantly. If their 1-2% success rate now drops by two orders of magnitude or more, their “business” no longer functions. At that point, the cybercriminal has no choice but to try to obtain new stolen passwords. If those new passwords are similarly detected and invalidated, it will become clear to the criminals that the economics of their scheme have been broken. We think that over time, Blackfish will end credential stuffing for everyone.

We are all very excited at Shape to announce this system and our vision to make credential stuffing attacks a thing of the past. You can learn more on our website and contact us when your company is ready to try Blackfish.

The Half-Day Attack: From Compromise to Cash with Sentry MBA

Sentry MBA-2

Sentry MBA, an automated attack tool used to take over accounts on major websites, makes cybercrime accessible to legions of attackers across the globe. Sentry MBA illustrates the pivotal role automation plays in online attacks and shows how cybercrime is increasingly compartmentalized and commoditized.

Allow me to illustrate with a short story.

Let’s say you’re a would-be cybercriminal looking to make some quick cash. There are many ways to make money on the Internet – especially if you think shoplifting’s a harmless recreational activity – so you hatch a plan to break into your favorite online electronics retailer’s website, order a few televisions, and have them shipped somewhere you can grab them.

But you have a problem: finding website vulnerabilities requires technical skills you just don’t possess. And even if you were a sophisticated cybercriminal, who really wants to spend their valuable time crafting SQL injection or cross-site scripting attacks? It’s far easier to just hijack a few user accounts. The authors of Verizon’s data breach report said as much: “With so many credential lists available for sale or already in the wild, why should a criminal actually earn his/her keep through SQL injection when a simple login will suffice?”

After doing some research, you may stumble across a tool like Sentry MBA. You might not have the technical expertise to research and hand-craft a targeted online exploit, but with Sentry MBA you can launch sophisticated and damaging attacks that are capable of penetrating the defenses employed by major corporations.

It’s a numbers game that works because so many people use the same passwords for multiple online accounts. Any list of stolen credentials will almost certainly include some that allow you to access accounts on the site you’ve targeted. Once you’re in, the retailer is your oyster. You can order any fancy gadget you please with the victim’s stored credit card number, change the ship-to address for your delivery convenience, and resell the goods for cash. Once you’ve maxed out one credit card, just rinse and repeat for all the accounts you cracked.

Sentry MBA automates the process of testing millions, or tens of millions, of username/password combinations to see which ones work. Without automation that task is impossibly time-consuming.

Shape Security protects websites and mobile applications by detecting and preventing automated attacks, including credential stuffing attempts. Shape analyzed a sample of our customer data consisting of six billion login and search page submissions from December of 2015 through January of 2016 and found that Sentry MBA attacks were commonplace. Here are some anonymized examples of the attacks we found:

  • Over one week in December, cybercriminals made over 5 million login attempts at a Fortune 100 B2C website using multiple attack groups and hundreds of thousands of proxies located throughout the world
  • Over two days in January, a large retailer saw two major Sentry MBA attacks with over 20,000 total login attempts
  • During one day in January, a large retailer witnessed over 10,000 login attempts used Sentry MBA and over 1000 proxies
  • Two attacks in December highlight how cybercriminals are turning their attention to mobile APIs. The first attack, focused on the target’s traditional website application, made over 30,000 login attempts using proxies located in eastern Europe. The second attack, focused on the target’s mobile API, made over 10,000 login attempts on a daily basis. Both attacks shared hundreds of IP addresses and other characteristics, indicating the same actors may have been responsible.

By reducing the level of technical skill needed to mount a sophisticated cyberattack, Sentry MBA brings damaging attacks within reach of more and more cybercriminals. The open web and darknet are filled with forums offering working Sentry MBA configuration files for specific sites and credential lists to try. These underground markets, combined with automated tools like Sentry MBA, create a new cybersecurity reality where devastating online attacks can be launched by any individual with minimal resources.

The best way to stop Sentry MBA attacks is to detect and deflect them before they take over accounts through your website or mobile application API. Shape Security protects you and your customers from online fraud committed by cybercriminals using automated attack frameworks, whether they are Sentry MBA or other toolkits.

For an in-depth exploration of Sentry MBA, please see our post from our research team: A look at Sentry MBA.