xorl %eax, %eax

Threat Analysis: Account Takeovers & Cyber-Crime

leave a comment »

Account Takeover (ATO) is a simple type of attack that has tremendously increased over the last few of years. Here we will be focusing on the ATO using credential stuffing as it is the most common method employed today. The reasons are the amount of insecure systems available over the internet as well as the constantly increasing amount of data breaches of large user databases. In this post, I will try to guide you through account takeover/credential stuffing attacks from the cyber-crime perspective. But let’s start with one of my favorite quotes from “The Art of War” by Sun Tzu.

If you know the enemy and know yourself, you need not fear the result of a hundred battles.
If you know yourself but not the enemy, for every victory gained you will also suffer a defeat.
If you know neither the enemy nor yourself, you will succumb in every battle.


Today most enterprises are good on the first part of this (knowing themselves) and this is what they are using to drive their security initiatives and controls. However, they fail when it comes to knowing their enemy. The aim of this post is to help you learn your enemy when it comes to ATO.

Compromised accounts during the first three months of 2016-2017.
Source: Microsoft Security Intelligence Report Volume 22


ATO is an attack where an adversary takes control of a victim’s account, typically by discovering the account’s credentials. Although this can be achieved via traditional bruteforcing, it is not very efficient. So, most cyber-criminals typically implement this attack using credential stuffing, and specifically, the following process.

  1. Collect valid credentials for real accounts
  2. Try to reuse those against the target website(s)
  3. Verify/check if those accounts include payment methods (e-wallets, credit cards, etc.)
  4. Sell the discovered accounts to black markets

Simple, right? Maybe too simple. And this is one of the reasons why it is so effective. It is simple and profitable. Now, we need to understand every single one of those four steps to see how our adversaries operate. This is what we will do next.

1. Collect valid credentials for real accounts
The terminology that cyber-criminals use when it comes to this stage include the following three terms.

  • Anti-public or private: A list of credentials that is not publicly available.
  • Public: A list of credentials that is publicly available, typically result of a major data breach.
  • Combo: This has two meanings depending on the context. In some cases it means that it is a list of a username/password combinations. And in other cases (most commonly) that it is a combination of multiple private and/or public lists.

Getting a, so-called, public list is relatively simple. Databases of high-profile data breaches are available on the internet to anyone. There is not much explanation required here.



But what about the private/anti-public ones? For those there is a very common workflow that cyber-criminals use. They are collecting actual credentials from insecure websites that suffer from simple vulnerabilities, typically SQL injections. Namely, one of the most popular underground tools for this is the “SQLi Dumper”.



Following the tabs from left to right, here is what cyber-criminals do using the above tool.

  1. Import a series of Google dorks that are searching for websites with parameters that potentially have SQL injection vulnerabilities.
  2. Collect the exploitable websites discovered.
  3. Select the interesting columns (typically username, password, and email).
  4. Dump the results of all of them to a list.



The above is just one method of creating a private/anti-public list but it is worth mentioning it as it is the most common method used nowadays. Furthermore, it is also worth noting that cyber-criminals are also exploiting this demand by identifying and selling to other cyber-criminals collections of Google dorks they can use for those list generations.



Some stop at this stage and they just sell the generated lists of credentials to other cyber-criminals. However, this is not as common as completing the entire lifecycle of an ATO attack.



2. Try to reuse those against the target website(s)
3. Verify/check if those accounts include payment methods (e-wallets, credit cards, etc.)

The reason why both steps are merged here is because the vast majority of the tools that cyber-criminals use for this are performing both actions. Typically, cyber-criminals collect on their own or buy from black markets a large amount of HTTP and/or SOCKS proxy servers which are required by those tools. Then they just import the lists of credentials and proxies and they initiate the attack. The tools will randomly select different proxy servers for each attempt bypassing throttling controls of most websites.



As you can see above (this was developed for Netflix), almost all of those tools are developed for specific target websites. Usually, most of them will try to verify parameters of the account (such as existence of credit card, balance, e-wallet, etc.). This is the reason why you will often see those being referred to as “checker”, “Brute & Checker”, or “B/C” software.



One of the most interesting such software is the UBC (Universal Brute Checker). This is a modular Russian ATO software which can be tuned to support any website with easily pluggable modules for additional functionalities.



4. Sell the discovered accounts to black markets
The last stage is of course the selling of the “verified” accounts that have been taken over using the credential stuffing methodology. There are multiple black markets for accounts of any imaginable website. However, depending on the data that those accounts grant you access to, their prices range from less than $1 to over $200 per account.



Buyers of those stolen accounts use them for a large variety of cyber-crime activities. For example, some common such activities are the following.

  • Stealing money (if the accounts are connected to some type of payment)
  • Spear-phising (using details derived from the accounts)
  • Identify theft (using details derived from the accounts)
  • Fraudulent transactions (since valid accounts are less restrictive than newly created ones)

Hopefully this introduction gave you some visibility on the enemy’s intention and capabilities. Going back to the Sun Tzu’s quote from the beginning, using this knowledge you can adjust your security controls and initiatives accordingly. But remember, this is just a gentle introduction to ATO via credential stuffing and cyber-crime. There is an entire cyber-crime ecosystem around this type of criminal activity.

Written by xorl

November 14, 2017 at 21:52

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s