Automation is both the saviour and the bane of CISOs. The saviour because it will help them defend against ever-sophisticated attackers, and the bane because attackers are using automation to craft those sophisticated attacks.
Take Sentry MBA, a Windows-based automated credentials stuffing tool that’s several years old but popular enough to attackers to have spawned YouTube ‘how to’ videos.
In a blog published today Shape Security, a California-based Web security firm, warned that the tool is an example of how cybercrime is increasingly compartmentalized and commoditized.
Instead of trying to brute force their way into a Web site with multiple guesses, Sentry MBA allows attackers an automated way to use volumes of stolen usernames and passwords against a site until at least one succeeds.
Shuman Ghosemajumder, vice-president of product management at Shape Security, said in an interview that essentially attackers are betting on the probability that at least some people reuse their passwords.
And it works For example, he said in 2011 attackers — with the help of a botnet — flung a database of 15 million credentials on Sony’s PlayStation Web site. Of those 93,000 worked because their owners had used the same credentials elsewhere.
According to the Open Web Application Security Project (OWASP), usually between 0.1-0.2 per cent of the total login attempts with credentials stuffing works — and, of course, all you need is one.
What makes Sentry MBA such a headache is its simple user interface, online help forums and underground support, says Ghosemajumder. People are also making money selling configuration files allowing attackers to customize their Sentry MBA work against targets.
While many Web sites use captcha technologies — requiring people trying to log onto a site to type in a series of letters and numbers — Sentry MBA’s architecture allows uses to plug in captcha-defeating services such as DeathByCaptcha.
As a result, Ghosemajumder said, “you don’t have to be a programmer to attack a major Web site any more. This is really the new trend of commoditization and federation of these attack tools.”
Sentry MBA is just the most popular of several credential stuffing tools available on the Dark Web. Shape Security has documented at number of recent attacks on its customers that have used them including a December, 2015 attack on a the Web site of a Fortune 100 site that mounted over 5 million login attempts using multiple attack groups and hundreds of thousands of proxies located around the world.
Last January Sentry MBA was behind attacks on a large retailer that made over 20,000 total login attempts. The same month a large retailer was hit by over 10,000 login attempts that used over 1,000 proxies. Attackers have also been trying to leverage corporate mobile APIs, in one case making over 10,000 login attempts a day.
There are solutions that watch for these automated attacks (Shape Security sells one). But one easy defence at the hands of CISOs is multi-factor authentication. Automated credential-stuffing tools are “another reminder to kill passwords once and for all,” commented Forrester Research identity and access management analyst Merritt Maxim, either with two factor authentication or biometrics.
For more on automated attacks see the OWASP Automated Threat Handbook.