Today we introduce and explain an attack tool that is becoming more prevalent among our customers: the Account Checker.
This credential stuffing tool isn’t new, but usage is rising sharply for reasons we’ll discuss below. Although very conceptually simple and easy-to-use, account checkers are extremely powerful.
Description of Account Checkers
An account checker is an attack tool that takes lists of spilled username/password pairs (i.e. “credentials”) and tests them against a target website.
Powerful account checker packages cost as little as $100, and adversaries can also create their own account checkers from off-the-shelf web automation toolkits like Mechanize, PhantomJS, IEC.py, Sikuli, Selenium or iMacros. These toolkits reduce the technical burden to write account checkers and conduct credential stuffing attacks.
Anatomy of Account Checker Usage
- Attacker acquires spilled passwords from a website breach or from password dump site
- Attacker uses account checker to test stolen credentials at many websites
- Successful logins (usually 0.1-2% of total) result in account takeover
- Attacker drains stolen accounts of stored value, credit card numbers, and other PII
- Attacker may also use this account for other nefarious purposes (spam, further transactions, etc)
Example of Benign Account Checker
Below is a ‘benign’ account checker called namechk.com that illustrates how account checkers work. This tool checks if a given username is available on various social networks. We checked the username “shapesecurity” and this tool correctly identified all the sites on which that username was taken.
This service uses a script that automatically tests a given username against all the websites visible in the image (e.g. Blogger, Facebook, Youtube, Twitter, etc.).
A criminal account checker functions in the same fashion as the above tool, and adds additional capabilities like checking whether various passwords (based on guessing algorithms, or one of the top 25 passwords) work on that site. The full process of checking usernames and passwords, along with malicious intent, leads to the widespread attack of credential stuffing.
A Microsoft study found that the average user has just over six passwords, that each password is shared across four different sites, and that each user has about 25 accounts that require passwords. Meaning breach anywhere results in passwords on 3.9 top sites becoming public.
Example of an Attack-Ready Account Checker
Brian Krebs wrote about the off-the-shelf account checker below. This is the same type of tool used to hack Hilton.
This checker is able to ascertain whether credentials are valid, and scrape the point balance, last four digits of the credit card number, and billing address of the card.
Below is a sample of the underlying code of an account checker. This account checker tests large numbers of credentials. When it finds a valid pair of credentials, it scrapes PII and steals stored value and credit card details from the account.
Where do attackers get lists of credentials?
The fuel for any account checker is a list of credentials. Fortunately for attackers, there are a huge number of credentials that are public.
- 38,000,000 Adobe accounts
- 318,000 Facebook accounts
- 70,000 Google accounts
- 60,000 Yahoo accounts
- 22,000 Twitter accounts
- 8,000 ADP accounts
- 8,000 LinkedIn accounts
Hundreds more credentials are leaked each day on this twitter handle: twitter.com/dumpmon. Many security professionals use this list to identify which user accounts on their respective sites have been compromised, and to lock out compromised accounts. Obviously, attackers also use this list, in conjunction with account checkers, to find vulnerable accounts which they then use for various fraudulent activities.
What can security professionals do to curb account checkers and prevent attackers from hijacking user accounts?
The answer requires an understanding of the mechanism by which account checkers work.
Account checkers work by using the static form elements of the login page as an implicit API. In the code sample above, the attacker references various form element names in order to interact with the target webpage. Most websites cannot distinguish such interactions from normal human interactions
and thus gladly accept the attacking traffic. This allows the attacker to automate the website using account checkers and easily run through millions of tests over the course of a few days or weeks (often using a large distributed botnet and a huge number of IP addresses in order to avoid rate and volume limits). Thus, even very unsophisticated attackers can trivially launch potent attacks against many of the largest websites in the world.
To defend websites against such activity, which we call “unwanted automation”, we use an approach that is familiar to attackers – we change the underlying code of the site on every pageview. Just as malware authors have long used polymorphic code to evade antivirus products by constantly presenting different signatures, so Shape’s solution creates a moving target which frustrates scripts that seek to automate a website. This allows sysadmins to increase the effort an attacker must invest to successfully script or automate a given website.
Of course, savvy readers will point out numerous ways in which to conduct attacks in different ways. It is beyond the scope of this article (but perhaps the subject of future pieces) to consider such attacks (DOM, GUI, and other). Shape of course is keenly focused on comprehensively defeating all such attacks and has solutions at each of those levels.
About the Author
Related Blog Posts
F5 accelerates and secures AI inference at scale with NVIDIA Cloud Partner reference architecture
F5’s inclusion within the NVIDIA Cloud Partner (NCP) reference architecture enables secure, high-performance AI infrastructure that scales efficiently to support advanced AI workloads.
F5 Silverline Mitigates Record-Breaking DDoS Attacks
Malicious attacks are increasing in scale and complexity, threatening to overwhelm and breach the internal resources of businesses globally. Often, these attacks combine high-volume traffic with stealthy, low-and-slow, application-targeted attack techniques, powered by either automated botnets or human-driven tools.
F5 Silverline: Our Data Centers are your Data Centers
Customers count on F5 Silverline Managed Security Services to secure their digital assets, and in order for us to deliver a highly dependable service at global scale we host our infrastructure in the most reliable and well-connected locations in the world. And when F5 needs reliable and well-connected locations, we turn to Equinix, a leading provider of digital infrastructure.
Volterra and the Power of the Distributed Cloud (Video)
How can organizations fully harness the power of multi-cloud and edge computing? VPs Mark Weiner and James Feger join the DevCentral team for a video discussion on how F5 and Volterra can help.
Phishing Attacks Soar 220% During COVID-19 Peak as Cybercriminal Opportunism Intensifies
David Warburton, author of the F5 Labs 2020 Phishing and Fraud Report, describes how fraudsters are adapting to the pandemic and maps out the trends ahead in this video, with summary comments.
The Internet of (Increasingly Scary) Things
There is a lot of FUD (Fear, Uncertainty, and Doubt) that gets attached to any emerging technology trend, particularly when it involves vast legions of consumers eager to participate. And while it’s easy enough to shrug off the paranoia that bots...