Credential-stuffing tools such as OpenBullet are so widely used in the underground. How can one combat, identify, and prevent an attack?
Credential-stuffing attacks are a type of account takeover in which threat actors load lists of known email-password combinations into tools such as OpenBullet to automate login attempts of popular web accounts and services. Because people tend to recycle passwords, an acquired email-password combination might be a key that threat actors can use to unlock and gain access to several accounts.
In our recent blog on OpenBullet, we demonstrated how threat actors can easily install OpenBullet2 from Github and deploy it almost effortlessly. The cyber underground provides many free examples of the main components to initiate an attack: a config file (enabling targeting of a specific account type), combo lists (long databases of known usernames and passwords), and proxies (IP addresses used to scramble the source of the attack), making it incredibly easy for even inexperienced threat actors to download the tool and run with it.
Fortunately, there are several straightforward measures that defenders can adopt to mitigate the risk of credential stuffing. Let’s discuss a few of them.
Generally, credential stuffing tools use a proxy IP (an intermediate address) from which to launch attacks in order to obfuscate their origins. Blocking login attempts from known proxy IPs, therefore, is a straightforward way to limit an adversary’s attack vectors. Darkfeed, Cybersixgill’s feed of indicators of compromise, includes lists of proxy IPs that are shared on underground forums. Darkfeed customers, therefore, can block or detect any inbound traffic from these suspicious addresses, and by doing so, keep their user accounts more secure. (See figure 1).
Figure 1. Free proxies shared in an underground hacking forum.
Disallow Email Addresses as User IDs
Credential stuffing relies on reusing the same usernames or account IDs across services. An attack is more likely to succeed if websites use email addresses as the username for login credentials. As stated above, there are tons of leaked credentials making their way to the cyber underground every day. Many threat actors are looking for the path of least resistance, hence, taking advantage of these dumps of emails and plugging them into credential stuffing tools and launching them across multiple websites makes it relatively easy for them to carry out an attack.
Preventing users from using their email address as an account ID can dramatically reduce the chance of them reusing the same username and password pair on another site – and reduces an attacker’s chance of succeeding.
MFA and captchas
As a threat hunter and underground tour guide, I’m met with countless barriers preventing me from quick and easy access to an underground site. Hacking forum admins often implement captchas to combat attacks from competitive sites and prevent threat intelligence companies from spying on their users.
Captchas, 2FA, and MFA intentionally slow down the login experience and can prevent a successful attack. Additionally, implementing multiple login pages, one for username and one for password, will create more hoops for threat actors to jump through if they are going to launch an attack. More work causes threat actors to move on to an easier target.
While requirements for password complexity and resets can frustrate users, long, complex passwords and password expiration are the first line of defense for the average consumer. Organizations must enforce them, and everyone should practice them.
I personally use a password manager, which allows me to generate complex and unique passwords while not needing to remember them.
Of course, considering that they hold the vault with all the keys, threat actors target password managers. It is critical to keep them secure..
Cybersixgill is dedicated to providing the most up-to-date and real-time intelligence to preempt attacks like credential stuffing. While consuming our intelligence will aid in identifying new threats and methods, you can also implement the actions outlined above right away to make an impact. For existing Cybersixgill subscribers, be on the lookout for new actionable alerts detecting credential-stuffing attacks on your organization.