Sentry MBA makes credential stuffing attacks easy and cheap

An automated attack tool called Sentry MBA makes credential stuffing attacks simple

A new report released by Shape Security yesterday details how the Sentry MBA tool makes credential stuffing attacks more widely available to cybercriminals.

The traditional "brute force" method of breaking into a user account requires the attacker to try numerous combinations of login ID and password. It's a difficult, time-consuming process. Plus, defending organizations have learned to stop these kinds of attacks by blocking multiple attempts to log into the same account, or multiple login attempts from the same IP address.

A credential stuffing attack increases the attackers success rate and reduces the time it takes to break into accounts by using stolen lists of working login IDs and passwords from other sites, since many people use the same email addresses and passwords as their credentials in multiple locations.

Since the attack go after a different user name with each new attempt, no one account sees a suspicious number of failed logins.

"You have all of these technologies that companies have deployed to try to protect against different forms of attack," said Shuman Ghosemajumder, vice president of product management at Shape Security. "The idea behind all of them is to try to identify patterns in IP address, and the problem is that attackers are now using botnets to bypass those defenses."

According to Shape Security, an average of 1 to 2 percent of stolen credentials from one site will work on a second site, meaning that a list of a million credentials will result in 10,000 hijacked accounts.

To bypass systems that look for multiple attacks from a single IP address, attackers use botnets to make it seem like the login attempts are all coming from different, and normally law-abiding computers.

"If they were coming from the same computer, it would be very obvious to defend against," said Sumit Agarwal, Shape Security's co-founder and vice president of strategy. "If they all came from a country where i don't even do business, that would be easy to defend. But the attack traffic comes during regular business hours, domestic to the country where you do business in, from unwittingly compromised machines belonging to real users."

Finally, to get around CAPTCHA challenges, attackers use optical character recognition.

According to Ghosemajumder, every single CAPTCHA-type system has been shown to be vulnerable to optical character recognition attacks for the past several years.

"Anyone who's using a CAPTCHA to try to keep automation at bay is not even introducing a significant road block," he said.

Putting all these pieces together into a targeted attack against a particular organization is not a simple task for a would-be attacker. Building a botnet, stealing credentials from another site, bypassing CAPTCHAs and other security mechanisms are all difficult tasks. Or they used to be.

With Sentry MBA, criminals buy an off-the-shelf, ready-to-go solution and pair it with a list of stolen credentials. Hundreds of millions of stolen credentials are already available for sale on underground forums, a result of the recent wave of breaches.

Sentry MBA comes with a graphical user interface that makes it possible for a criminal with very basic skills to create a very sophisticated attack, said Agarwal.

"These are not brute force attacks," said Agarwal. "These are tailored attacks that simulate human behavior."

In particular, attacks are custom designed for each website individually. Working configurations for various websites are available in the criminal forums, and they specify in detail the location of the login pages and individual form fields, plus the rules for valid password construction and other details that make it possible for Sentry MBA to log into the site.

Finally, attackers can customize their attacks further. For example, to recognize keywords that indicate successful or failed login attempts.

One potential sign that a credential attack is ongoing is that login failure rates suddenly go up dramatically.

At that point, if defenders spot the attack early, they can turn on across-the-board second factor authentication, or swap out the login page for one that hasn't been seen before.

Shape Security, in fact, is in the business of doing the latter -- creating multiple login pages on the fly that look the same to human users and browsers for the disabled, but different to automated tools that read the underlying code to find form elements.

Join the CSO newsletter!

Error: Please check your email address.

More about CSOSentry

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Maria Korolov

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts