SentryMBA A PEEK INTO THE UNDERGROUND ECONOMY Mayank Dhiman, Principal Security Researcher Will Glazier, Threat Intelligence Analyst [ table of contents ] TABLE OF CONTENTS Executive Summary 1 Sentry MBA Ecosystem Glossary 2 How it works 3 Experiment Dataset 4 Results Target industries Geolocation 5 6 Target sites 7 Target Alexa Rankings Economics Who are the attackers? 8 9 10 Conclusion 11 [ executive summary ] EXECUTIVE SUMMARY KEY FINDINGS C redential Exploitation attacks are a class of ATO (account-takeover) attacks where attackers test credentials from leaked credential dumps, at scale, against different targets (usually in parallel). These attacks do not exploit an application’s vulnerabilities -- they exploit an application’s authentication functionality. Obvious questions which arise are: who is being targeted? how big is the problem? how do attackers monetize? This report answers these questions by shedding light on the credential exploitation problem through delving into it’s underground ecosystem. We analyzed one and a half years’ worth of data and communications involving 5 underground cracking forums which specialize in SentryMBA; the cybercriminal’s attack tool of choice for credential exploitation. This comprehensive data gives us unique insight into the mind of the criminal, giving us the expertise required to understand and combat the credential exploitation problem. A minimum of 11,729 credential exploitation attacks were launched over the last 1.5 years against 1,853 targets. 98 of the Alexa Top 1000 websites were targeted. The majority of attacks were launched against websites in the Alexa 1k-10k range. The top three target industries were Gaming (15%), Entertainment (9%), and eCommerce (8%). 78% of targeted websites were based in the US, followed by France, UK, India, Germany and Japan. 17,079 attackers are involved in this criminal ecosystem with an average of 30 joining everyday. 30% of all config files were posted by the top 10 attackers. 1 [ Sentry MBA Ecosystem ] [ glossary ] GLOSSARY SentryMBA; or Sentry; or MBA Combos; or Combolist; or Wordlist These are variants in the name for the same tool. Each config needs a list of credential combinations (usually, username password; or email password) required to launch credential exploitation attacks. Config A “configuration” file is written against each target with instructions for SentryMBA on how to login and how to differentiate between failed and successful logins for that particular target. Writing config files is one of the chief ways to monetize in this criminal ecosystem. Capture A SentryMBA config may contain an optional capture setting, which has instructions for “capturing” certain account information like account balance upon a successful login. This enables attackers to understand the value of a compromised account without logging back in again. Proxyless; or Pless Leecher A config file is proxyless if no proxies are included with it. Leeching a config means copying a config from one site and posting it on another. A Leecher is the person involved in this activity. 2 [ Sentry MBA Ecosystem ] [ how it works ] HOW IT WORKS 1 Attacker procures a config file & stolen credentials from the underground markets, and loads them into SentryMBA. 2 Attacker configures SentryMBA and launches the attack campaign. Combo List Config File Attack traffic is distributed through proxies, cloud providers, and/or rented botnets to evade detection. PROXY (stolen credentials) (attack target) 3 + 4 Distributed attack traffic tests all the stolen credentials - returning those that work. The value in these accounts can then be compromised manually or “captured” in order to be resold. LOGIN Email Pass- SentryMBA is extremely easy to learn and use, drastically lowering the barriers of entry for attackers like script kiddies. LOGIN 3 [ Experiment ] [ dataset ] DATASET sentry.mba This site is dedicated exclusively to trading config files for Sentry MBA. The site is quite active, and has been around since mid-2015. We analyzed popular underground cracking forums which focus on credential exploitation attacks and specialize in trading config files for SentryMBA. • 1,853 3,579 config files from 5 forums (1,853 from sentry.mba) • Config files posted over a • Analyzed 17,079 11/2 configs year period (until May 2017) attacker profiles crackingking.com 903 configs • 326 API configs posted across the 5 forums representing nearly 10% of configs Our dataset consists of a cross-section of the most popular SentryMBA specific cracking forums, allowing us visibility into a significant portion of the attacker ecosystem. This is a very popular cracking forum that has substantial activity for SentryMBA configs. Most configs on this forum are available for free upon registration. crackingforum.com 316 configs crackingleaks.com 376 configs cracking.zone 131 configs These 3 forums have active SentryMBA communities, among other cracking activities like selling compromised accounts or other custom tools. These forums were primarily used for data validation purposes. 4 [ target industries ] [ Results ] G IN All major industries are actively under attack. Some face a disproportionate volume of attacks such as Gaming, Entertainment & E-Commerce. Finance and Retail configs are the most expensive, and rare. This is symptomatic of SentryMBA being a script kiddie tool. ENT ER TA I 168 configs configs $1.51 avg cost $2.34 ADULT T EN 271 NM GA M TARGET INDUSTRIES XXX 148 configs avg cost CIA O S 137 configs $1.69 101 $1.12 configs $1.47 avg cost HO VPN 67 73 configs $0.89 RETA IL 65 avg cost configs 51 $5.77 configs avg cost $3.75 avg cost $0.90 avg cost avg cost CR A CKING FOO D The above industries are often targeted by Sentry MBA attackers. Included is the number and average cost of configs posted per industry. ED U C 47 configs $1.48 STING TS SPOR 62 configs configs $1.02 avg cost E-C OMM WARE ERCE SOFT 77 avg cost avg cost $1.54 KS configs 102 avg cost L NETWOR AD V configs configs $0.90 31 configs $2.74 22 avg cost configs $1.59 BIT COIN $5.22 avg cost $4.27 avg cost ERTISING N CE 8 28 configs avg cost FINA ATION avg cost H EA LTHCARE 5 [ Results ] [ target geolocation ] GEOLOCATION OF TARGETS #9 Sweden 10 Targets are distributed across 42 different countries with US organizations hit the hardest (78%). #2 France 82 #9 Estonia 10 #8 Iran 13 #7 China 20 #5 Germany 40 #3 UK 66 #1 USA 1,007 #6 Japan 36 #4 India 60 6 [ target sites ] [ Results ] POPULAR TARGET SITES 884 Downloads * Reposted 25 times 289 Downloads * Reposted 19 times 134 Downloads Popular Streaming, Gaming and Social Networking websites are also attackers’ favorite targets. This may indicate most attackers are script kiddies. 335 Downloads 227 Downloads * Reposted 41 times 125 Downloads 314 Downloads * Reposted 22 times 214 Downloads 115 Downloads 290 Downloads Universal Email Access Checker 137 Downloads * Reposted 14 times 80 Downloads 7 [ alexa rankings ] [ Results ] TARGET ALEXA RANKINGS AT A GLANCE... Attack Target Distribution 1,853 20% Of the ALEXA Top 100 are being actively targeted by configs. 10% Of the ALEXA Top 1000 have a SentryMBA config available in the underground market 11,729 184 Total number of unique target sites on Sentry.MBA Total number of downloads of SentryMBA config files The number of API configs available for download Alex Rankings No. of unique targeted sites Total no. of config downloads Popular websites are also more popular among attackers. However, in terms of sheer numbers, these attacks are mostly targeted against mid-market targets. 8 [ Results ] ECONOMICS [ economics ] The Top 5 Most Expensive Config Files: ($35.00 - $50.00) On sentry.mba config files are traded via the site specific virtual currency called gold coins. One gold coin is equivalent to $0.01 and can be traded via bitcoins. On other forums, there is often a section for free configs and a more selective premium config section, which can only be joined once the user’s reputation is high enough. There were at least a total of 11,729 unique attacks launched over the past 11/2 years. The average cost of a config is $1.73. Hence it is very easy for script kiddies to get started with these attacks. The total amount which exchanged hands was $9,127.76. Hence the lucrative activity for attackers is not creating the configs, but taking over accounts. Multiple factors contribute to the cost of a config, including: the “scarcity” of the config in underground forums, the value of an individual compromised account, the ease of selling these compromised accounts, the organization’s security defenses in place, the time required to write the config file, and so forth. Config files are inexpensive, indicating that the barriers of entry are very low. In this ecosystem, the money lies not in config files, but elsewhere (likely selling compromised accounts). 9 [ Results ] [ sentry.mba attackers ] WHO ARE THE ATTACKERS? USER HIERARCHY There are about 17,079 registered users on the Sentry.MBA platform. Of those users, only 390 have ever posted a config file, demonstrating that a small subset of users are the most active. The top 10 authors posted over 550 configs, representing over 30% of all config files ever posted. The top author - a user by the name “Terbz” posted 116 config files. 1 Administrator 4 Moderators 6 Verifiers 68 Vendors Moderate content & ban users.... Number of new registered users 120 100 80 60 40 20 10/3/15 1/11/16 4/20/16 7/29/16 11/6/16 2/14/17 The credential exploitation problem continues to worsen, as waves of attackers continue to join the forums. However, only a small proportion of them are responsible for most of the damage. 5/25/17 + Verify config files & vendors.... Can post content (You just need to ping any of the Admins/Moderators to become a vendor and pay $20) (This came into picture only after Feb 24, 2017. Before that anyone could post content). 16,920 Normal Users 10 [ conclusion ] CONCLUSIONS With more than 11,000 attacks launched against 1,853 targets, credential exploitation is a big problem. A vast variety of websites and organizations are under attack. If an organization has user accounts, with any value associated with it, then it is a potential target. The average cost of a config file is very low and attackers made relatively small sums of money by trading configs less than $10,000. However, swarms of new attackers keep joining these forums. This indicates that the attackers are still profiting by launching credential exploitation attacks and selling compromised accounts. It is hard to estimate the value of the real damage caused by these attacks. The underground ecosystem is thriving with more than 17,000 attackers on a single forum with new attackers joining everyday. We analyzed only 5 forums and plenty more exist. With the rising number of leaked credential dumps, this problem is only going to worsen. This is not a web-only problem. API endpoints are an emerging target. With 326 config files targeting APIs, representing approximately 10% of config files. 11 ® Stealth Security, Inc.® © 2017