Password login attacks, especially credential stuffing attacks, are still one of the most common cyberattacks on the Internet. F5 Labs and Shape Security extensively looked at the patterns and trends associated with credential stuffing in the 2021 Credential Stuffing Report.
In part 2 of this series on credential stuffing tools and techniques, we dive deeper into how attackers actually “stuff” credentials. In part 1, we explored how cyberattackers configure credential stuffing attack tools. We used OpenBullet, a common credential attack tool, as our example. In this second part, we look at how attackers use different tools, take over a mailbox, and overcome simple defenses.
Launching a Credential Stuffing Attack
Previously we showed you how attackers configure the OpenBullet credential stuffing tool. Now, attackers can try launching the attack in the tool’s Runner section, as shown in Figure 1. This is where they can choose how many bots to run at a time. They can also run attacks against multiple sites simultaneously.
Breaking Through Credential Stuffing Defenses
Many organizations put controls in place to detect and block this credential stuffing automation. F5 Labs took a closer look at the various tools credential stuffing bots use to bypass defenses. We’re going to configure OpenBullet to evade a common first line of defense: CAPTCHAs.
CAPTCHA is a contrived acronym for "Completely Automated Public Turing [test to tell] Computers and Humans Apart." It does this by forcing users to complete a challenge to prove they are not a bot. Newer versions of CAPTCHAs do this selectively—only if bot-type behavior is detected.
Many CAPTCHA bypass services are available, and they fall into two categories: optical character recognition (OCR) solutions and human-based. For more detail on this, see the F5 Labs examination of the human-based CAPTCHA market.
Like everything else in the tech world, there is a software as a service (SaaS) solution, specifically a CAPTCHA-solving service. These services range in price from about 40 cents to $5 for 1,000 CAPTCHA solves. This is as simple as signing up for a service (Figure 2) and entering the service name and API key in the tool’s CAPTCHA section (Figure 3).
Now the attacker can add a Solve CAPTCHA block to their configuration. This block requires the URL of the site containing the CAPTCHA and the Site Key, which is found in the page’s source code. The solved CAPTCHA will be stored as <SOLUTION> and can be sent in the POST, as shown in Figure 4.
Using Credential Stuffing to Take Over an Email Account
If there is something of value behind a login, it’s a good bet automated attacks are targeting it. The sophistication of these attacks depends on the malicious automation controls in place on the target system, as attackers will invest the minimum effort necessary. They will retool with higher sophistication once their attacks are successfully mitigated. Also, there are other ways besides the direct approach to get into a high-value account using credential stuffing.
One strategy is to compromise email accounts with a credential stuffing attack. Then an attacker can use those accounts to reset passwords on the high-value logins. These compromised inboxes are easily searched to find out which accounts of interest a user can configure. Figure 5 breaks down the process.