We looked into how easy the Sentry MBA tool makes it to launch credential stuffing attacks.
Credential stuffing is the OWASP terminology, but some of you might refer to this as account takeover attacks, brute force login attacks, login stuffing, etc…it’s all the same thing. It’s the process of taking username and password combinations and using them against the login page on a particular website in order to crack into a user’s account. You can read more about it here. The issue is, these attacks are getting much easier to launch because of automation tools like Sentry MBA.
It used to be that you had to build your own botnet, find or steal login credentials from another site, and then write some sort of automated script to figure out ways to bypass defense mechanisms at your target destination. As you can imagine, this is no easy undertaking. Unfortunately, this is now all available at your fingertips and Sentry MBA makes this all very turnkey for even a novice attacker.
What makes Sentry MBA so effective?
Given last years record number of security breaches and stolen credentials, the dark web has millions available for purchase. All you need to do is come prepared with a list of credentials and then download the Sentra MBA tool. The tool consists of a pretty user interface that any average individual can figure out how to use.
The types of attacks you can launch are very sophisticated and tailored to the particular website you are targeting. There are criminal forums out there that actually go into detail on the workings and configurations of various websites, detailing things like the locations of login pages, form fields, and even shares the rules for password construction for that particular page. You can even go as far as having the tool detect keywords that indicate a failed or successful login attempt, making your attack more efficient.
Here is a screenshot to give you an idea:
Homegrown solutions don’t protect you from credential stuffing
You’re probably wondering why your various tactics aren’t sufficient. A lot of organizations put rules in place that prevent a user from logging in if there are too many attempts against a single username. However, most of the credentials that are purchased on the dark web are known to be working credentials on some other website. Therefore, all it takes is a single attempt with one username against your login page to see if those credentials are the same for your business.
Another tactic is to block multiple login attempts from the same IP address. However, hackers are not stupid and realize how easy this is to detect. That’s why they launch these attacks from hundreds or thousands of IP’s either from compromised computers or from cloud environments where they rent the IP space. If they make a single login attempt on a single username from a single IP address, and they do this from 1,000 IPs, it will look exactly like a human to you. And even if you try to block those 1,000 IPs, they will just dynamically rotate across another 1,000 IPs.
Another common defense is using Captchas. The problem is that Captchas are also easily defeated, either by optical character recognition, or even captcha farms that contain millions of solved captcha combinations. They are also extremely annoying to humans and cause a lot of friction.
In summary, you really need to evaluate your defense strategy to make sure you’re fully protected. Bots are becoming a bigger and more complicated problem every day.
Leave a Reply