Shape Security Blog : account takeover

Note: this post contains excerpts from a more detailed research note on Sentry MBA that the Shape Security research team has created for the security research community. If you are a security researcher and would like to receive a copy of this note, please contact our research team.

Credential stuffing is an attack that tests stolen credentials against the authentication mechanisms on websites and mobile application API servers, to discover instances of password reuse across those applications, and enable large-scale account takeovers. It is one of the most common attacks on popular web and mobile applications today and is capable of essentially breaching sites that do not have what are considered to be traditional security vulnerabilities. Instead, through automation, the task of hijacking accounts on any popular site is reduced to a question of economics: the attacker is virtually guaranteed to be able to hijack a certain number of accounts per unit of effort.

In order to bypass traditional security controls, like IP rate limits, reputation lists, blacklists, and other forms of IP-based analysis, attackers utilize large sets of proxies and botnets. In order to bypass CAPTCHA and other controls designed to impede automated interaction with user interfaces, attackers use Optical Character Recognition (OCR) software and other complementary mechanisms to read and solve those challenges the way that a human user would.

These services can be tied together to enable any number of automated attack types in economical ways. These economics become particularly cost-effective for cybercriminals when additional management tools are created for the purpose of facilitating specific attack types that combine all of these approaches. Over the past several years, many such tools have emerged that make sophisticated, compound automated attacks simple and efficient to execute by a wide variety of cybercriminals.

In the case of credential stuffing, the most commonly used standalone management tool we have observed enabling attacks is called Sentry MBA. We have been observing Sentry MBA attacks across the Shape network, which includes the websites and mobile applications of some of the world’s largest companies, for some time.

Here is a screenshot of the main interface of the tool, which is a standalone Windows application:

sentry-mba-screenshot

The key inputs for a Sentry MBA attack are:

A config file, which helps Sentry MBA navigate the unique characteristics of the site being targeted; the URL for the targeted website’s login page, for example, is specified in the config file
A proxy file is a list of IP addresses (usually compromised endpoints and botnets) to route traffic through, so that the set of login attempts appears to be coming from a large variety of sources (resembling organic traffic) rather than from a single attacker
A combo list is a database of username/password pairs to be tested against the target site; these lists are typically obtained from breaches on other websites, and sold on underground forums, as well as available on public sites like Pastebin

Sentry MBA has a number of additional features to assist the attacker further, including built-in OCR capabilities for bypassing CAPTCHA challenges and functionality to spoof various browser characteristics, such as the User Agent and Referer strings.

A Sentry MBA config file contains, among other items, the URL for a website’s login page, field markers to help navigate form elements, and rules for valid password constructions. A number of forums offer a wide variety of working configurations for various websites. Here is a screenshot from one such forum:

sentry-mba-config

Once the attacker has a basic working configuration, Sentry MBA offers tools to optimize and test the attack against the live target website. For example, the tool can be configured to recognize certain keywords associated with a website’s responses to successful and unsuccessful authentication attempts.

Proxy lists allow the attacker to bypass IP-based security controls. It is common across many attacks for over 60% of the IP addresses used to be new every day, and the total number of IPs can often go into the tens of thousands. As a result, blacklists can’t be updated quickly enough to be effective, and Sentry MBA can be tuned to ensure that no individual IP sends too many requests, which also prevents rate limiting from being effective.

Finally, combo lists provide the raw materials for the attack. Across the Shape network, we have found that most combo lists have a 1% to 2% success rate, meaning that if an attacker purchases a list from a breach on site A (or a combination of site breaches) and then uses Sentry MBA (or another credential stuffing tool) with that list to attack site B, 1% to 2% of the usernames and passwords from site A will work on site B.

In other words, if an attacker has a combo list of 1 million credentials, they may be able to hijack in the neighborhood of 10,000 accounts on any popular website using Sentry MBA with relative ease. Based on our own research and that of others in the security industry, there are hundreds of millions of unique credentials for sale in underground markets, a figure which is growing rapidly as more sites are breached.

Once a cybercriminal has taken over accounts on their target website or mobile application API service, monetization strategies can take many forms, depending on the business model of the breached application. In fact, that part of the kill chain can be handed off to another group entirely. In the case of bank accounts or stored value card systems, for example, a bundle of breached accounts can itself be sold on underground forums, based on the estimated average value stored in the accounts.

Have you been targeted?

There are a number of ways to detect Sentry MBA attacks. Here are two low-effort mechanisms to determine if you have been targeted by a Sentry MBA attacker. The first is to search the web and the second is to look for the default User Agent strings that comes with Sentry MBA.

Searching the web

If your organization is a sufficiently high-profile target, you may be able to find criminals offering Sentry MBA configs for your website and mobile applications on various forums. Googling “sentry mba X”, where X corresponds to a name of your organization or web property is a good starting place. In this process, it’s critical that in addition to searching the Shallow Web, you also find ways to search the Deep Web. If you are unfamiliar with searching the Deep Web, you should consider consulting experienced open source intelligence analysts.

Sentry MBA default User Agent strings

As Dan Ariely has highlighted, humans tend to use defaults. Attackers are no different and we regularly see proof of this across the Shape network.

By default, Sentry MBA uses the following five User Agent strings:

Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; .NET CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)
Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.0.11) Gecko/2009060215 Firefox/3.0.11
Mozilla/5.0 (Windows; U; Windows NT 5.1; en) AppleWebKit/522.11.3 (KHTML, like Gecko) Version/3.0 Safari/522.11.3
Opera/9.80 (Windows NT 6.0; U; en) Presto/2.2.0 Version/10.00

If you find these User Agent strings in your web logs, you should also be able to find some characteristics of credential stuffing. The OWASP Automated Threat handbook notes that you should observe a high authentication failure rate when a credential stuffing attack is taking place. The term “high” is left to interpretation, but it’s fair to say that any authentication failure rate that is multiple standard deviations beyond the mean for your website qualifies as “high.”

If you decide to blacklist these User Agent strings, you should recognize that they can be changed to bypass such a control. Before you take any action, we recommend you consider the associated game theory.

Conclusion

The rise of Sentry MBA illustrates how automation enables cybercriminals to achieve unprecedented efficiency, efficacy and scale. The script kiddies have grown up and now have access to powerful attack frameworks which rival the complexity of the programming stacks used to create legitimate applications.

There are many automated attack tools, including other credential stuffing frameworks, that vastly exceed Sentry MBA in sophistication. However, this serves to illustrate the real security challenge: the fact that Sentry MBA is so effective on so many major websites and mobile application API services today highlights the need for significantly more advanced application defense mechanisms.

Tweets like the one below are becoming more and more common. This frustrated consumer lost $100 from a gift card account he had with his favorite retailer. Besides the direct financial loss in replacing these stolen funds, the retailer also incurred call center costs and brand damage (this tweet represents just one of many related to hijacked accounts).

As web security moves from an IT problem to a C-Level and board problem, CISOs should create a strategy for protecting their customers and their enterprise from account hijackers. Below we provide 3 easy checks that companies can use to secure their customer credentials.

If 2014 was the year of the breach, then 2015 will be the year of account hijacking at a scale we’ve never seen before. The huge sets of credentials stolen in the past will be tested on just about every major website (and lots of minor ones), and roughly 0.1% to 20% of them will be valid. A Microsoft study found the typical consumer has terrible password hygiene and re-uses the same username / password combination across sites. Specifically, the study found the typical user has 6.5 passwords per 25 accounts, meaning that each user password is shared across 3.9 different sites. Due to frequent password reuse, credentials stolen during the breach of one site are also likely to be valid on 3.9 other unrelated sites. Each breach is also a breach of other sites on which the same credentials are valid.

Why is this so important? According to the 2014 Verizon Data Breach Investigations Report, compromised credentials are now the most commonly-used threat action. Almost every major website, including those with fully-patched, up-to-date security, is susceptible to account takeover and the use of account checker scripts to hijack accounts. Attackers use scripts to take over an account, drain its funds or other assets, and resell the drained account so it can be used for spam, money or reputation ‘laundering’. On our customers’ sites, an average of 60% of login page traffic is caused by malicious bots testing stolen credentials, up 10% from the same time last year.

Here’s a 3-step approach which SysAdmins can implement to help mitigate this vulnerability and protect user accounts.

Step 1. Diagnose if the site already has account hijackers

The first step is to measure whether criminals are actively testing stolen credentials against your website. The easiest metrics to deploy is to inspect failed logins versus successful logins over a typical one-week window. For most enterprises, the graph should have the following characteristics:

Failed logins should be a small percent of successful logins, typically under 10% (this varies widely, but if failed logins are over 100% of successful logins there is a very strong probability of a serious problem).
Failed logins should follow roughly the same pattern as successful logins.
Failed logins should not have large bursts of activity.

Look out for hijackers guessing at your usage bursts and trying to hide within that. Also, look for DDOSing attackers who hide within a large amount of fake web traffic that they create. There are many patterns and signs to evaluate. The techniques above can help you determine whether you have a problem.

Step 2. Recognize that old traps don’t stop new login attackers

The traditional approaches to stopping account takeover (throttling, reputation, and CAPTCHA) are not current. They are outdated and ineffective. Don’t get caught deploying a solution easily defeated by criminals.

Throttling solutions: Throttles won’t help, but they can hurt.
Brute force throttling solutions will not reliably protect your website because determined adversaries will reduce the speed of their attack to fall below the threshold for detection, or source the attack from a diverse set of source IPs to spread out their traffic. Even unsophisticated crooks will quickly realize that web security throttles initially let the attack go unabated, typically for the first 60-90 seconds. Typical customers using rate-limiting heuristics find that 5,000 login attempts can occur in the first 90 seconds. If we assume a 1% success rate, which is conservative, each IP address used for the 90 second window will give the attacker access to 50 accounts. If we assume an average loss of $200 per account, the crook will net an estimated $10,000 per incident, with no real limit on the number of incidents beyond the availability of credentials to test.
Reputation solutions: Reputation isn’t what it used to be.
Reputation solutions, especially IP-based products, are increasingly easy to circumvent given rentable legal (like Rackspace and Amazon) and illegal infrastructure (from crimeware-as-a-service botnet creators who, according to Gartner, rent 10,000 clean IP nodes for $1.50 per hour). Botnets are especially damaging to the efficacy of IP reputation services, since botnets are comprised of zombified computers and therefore appear to be valid residential IPs. We can expect the botnet problem to get worse with the end of support for Windows XP.
CAPTCHA solutions: This antiquated method disrupts customers, not fraudsters.
CAPTCHA is disintermediated by commercial bypass services. Search for “CAPTCHA bypass service” to find a list of services that provide 1000 solved CAPTCHAs for as little as $1.39, with 95% accuracy. As the average user is only 71% accurate when solving CAPTCHAs, bypass services are 25% more accurate than legitimate users. This is equally true for niche CAPTCHAs like Confident Technologies’ implementation, mainstream CAPTCHAs like Google’s reCAPTCHA, and even reCAPTCHA v2.

Step 3. Implement user interface security on the login page

To protect user login accounts from being hijacked, we propose a solution that has been long-theorized but undeployable till now. We suggest that sites make critical elements of the underlying code dynamic, rendering machine automated attacks impractical to implement. We call this “user interface security” because it protects the user interface’s HTML, DOM, CSS and JavaScript from attack. This new method of defense defeats script attacks on web applications, and can be home-grown or purchased from Shape Security as a network appliance.

Malware has long used polymorphic code to hide itself from antivirus products by looking unique every time it infects a new machine. SysAdmins can invert this concept and use polymorphism to disable an attacker’s capability to script commands against targeted sites.

This technique is both cutting-edge and effective. Our chief scientist, Xinran Wang, Bob Blakley of Citibank, and Professor Tadayoshi Kohno of the University of Washington authored an academic paper on making web elements dynamic to defeat web automation. The paper was presented at the 2014 International Conference on Applied Cryptography and Network Security.

You can read it here.

Keep an eye out for forthcoming articles where we will categorize threats that rely on automation and the appropriate anti-automation control.

Contact Shape to protect your web application’s user interface.

Tag: account takeover

A look at Sentry MBA – the most popular cybercriminal tool for credential stuffing attacks

Have you been targeted?

Searching the web

Sentry MBA default User Agent strings

Conclusion

3 Steps for CISOs to Protect Login Accounts

Step 1. Diagnose if the site already has account hijackers

Step 2. Recognize that old traps don’t stop new login attackers

Step 3. Implement user interface security on the login page

Have you been targeted?

Searching the web

Sentry MBA default User Agent strings

Conclusion

Share this:

Like this:

Step 1. Diagnose if the site already has account hijackers

Step 2. Recognize that old traps don’t stop new login attackers

Step 3. Implement user interface security on the login page

Share this:

Like this: