Securing the Digital World

Credential Checking Services Soar in Popularity on Dark Web

Sep 12, 2016 | by Heidi Bleau |

If you've ever needed another reason to not recycle your passwords, I give you Sentry MBA. Although the tool has been around for a couple of years, it has recently been soaring in popularity among those in the fraud community which is no surprise with more than 1.5 billion consumer credentials breached so far this year.

The automated account checking system allows a fraudster to check multiple compromised accounts, customize the list of targeted entities, and tailor the way each site is approached and checked. In essence, this is a form of brute-force attack software that attempts to log in to multiple accounts with a long list of compromised credentials. Not the type of "MBA" most website owners want working in their company.

In a traditional "brute force" method for hacking into a user account, the attacker will try various permutations of a User ID and password. Think of old-time safecracking where a thief waited to hear the tumblers click into place and the safe door spring open.

A so-called "credential stuffing" attack, however, uses an automated injection of breached username/passwords in pairs in order to gain access to user accounts - significantly reducing attempt/fail combinations and, of course, counting on the fact most users will re-use (and recycle) the same email address, user ID and password as their credentials on multiple websites. And, since each attempt uses a different user name, no one account will raise the red flag to alert IT staff of a suspicious number of failed logins.

As you might imagine, the digital version of this methodology requires many attempts, many of which will be unsuccessful. However, RSA has seen an average of 5 percent success rates in account takeover attacks where stolen credentials from one site are used on a second site, meaning that a list of a million credentials will result in 50,000 hijacked accounts.

What is even more eye-opening is that attacks can be custom designed for each website.

For example, configurations for various websites are available on the Dark Net, specifying in detail the location of the login pages, the individual form fields plus the rules for valid password construction that make it possible for Sentry MBA to log into the site. As a result, for pennies (literally), hackers can take massive amounts of username and password combinations and hit any type of website to check for credentials that are valid.

Identifying Indicators of Attack

Web behavior analytics is an emerging technology designed to identify exactly these types of attacks and provide near real-time visibility of potentially malicious sessions allowing for automated response (i.e., redirect to a customer service page or a honeypot). There are many potential factors that serve as indicators to these types of attacks which can be identified by monitoring the clickstream of site users including:

  • IP addresses responsible for high hits on the login/forgot password pages, which can easily be compared to a previous timespan in which the malicious activity is not present, allowing for fast and accurate detection and analysis of the offending IP addresses
  • High hits on the login and/or password reset pages, minimal page hits elsewhere
  • High failed login count
  • IP addresses with multiple associated users that are located in foreign geo-locations or locations that aren't associated with normal application traffic

To reiterate, while recycling is good for the planet, it is not so good when it comes to passwords. To learn more about how Sentry MBA works, join RSA on September 20 as we take a deep dive into the tool and how it is being used to target popular websites. You can register.