Credential abuse (CA) is a trend that is here to stay. It affects almost every one of us. There are attackers trying to break into every online account and the vast majority of these attacks are happening silently in the background. In the past, credential abuse tools were written and distributed in closed forums and among air-gapped societies. Now, they are widely available; there is a highly active market trade of "cookbooks" - configurations and instructions on how to perform successful logins against a website.
We observed using Akamai's broad visibility of the internet a substantial amount of credential stuffing attacks, a variation on the classic brute-force attack against web accounts while using a user-password pairs revealed by breaches across the Internet, targeting sites from a variety of industries. Analysis by Akamai's Threat Research team reveals an emerging self-proclaimed "account checker" tool named "SNIPR", complete with logo, being used to target many of Akamai's customers on a daily basis.
Our research offers a peek into a new, emerging tool, and cover the technical aspects of the "SNIPR" tool that highlights many aspects of a new generation of CA tools. We hope our research gives you some insight to the nature of these tools and what to watch for in their evolution.
The evolution of CA attacks didn't happen without influencing the attacker tools sector. These tools have become more sophisticated, with enhanced features and robust capabilities. New features make these tools much easier to use - resilient to detection and far more scalable than in the past. As part of the research on "SNIPR", we were able to see the following set of features that emphasize this evolution in the CA tools space:
The SNIPR tool includes various pre-built configuration for many large websites. One of the reasons behind this idea is to expand the tools operators span, so even low skilled users (aka 'script kiddies') can use the tool hassle free. These configurations include all the attack flow needed to perform an attack - the requested URLs, user agent strings, data capturing from requests, the correct order of authentication and so on.
Public Proxy Scraping
The ability to tunnel the traffic through various proxies is a must have feature for CA attacking tools. This allows the attacker masks his or her malicious activity along with the legitimate user traffic of the proxy provider. Along with the ability to use such proxies, SNIPR features a public proxy scraping mechanism, which lets the attack look for many public proxies to alternate with.
Now CA tools are more available than ever - the tool operators sell licenses over known ecommerce sites, accepting all kind of payments methods, from bitcoin (and other cryptocurrencies) to various gift cards, basically a way to profit while keeping the books clean - which is the purpose of any money laundering scheme.
In order for an account checking tool to survive over time, it must have a devoted community. On the tools website, there is a link to a Slack workspace. It is an active workspace that allows the tool developer's to report new features and releases, and allows customers to provide feedback). They also have a channel for 3rd party configuration that is widely available.
The CA tools sector is evolving, and it doesn't look like it's stopping any time soon. We are witnessing those tools getting smarter along with defensive mechanisms becoming more complex. New and old credentials abuse tools will evolve to a similar form factor of SNIPR - community driven, easily acquired and neverending developed.
SNIPR, being just one example of such an advancement, can teach us what to expect from those who wants to get our creds. Very much like any kind of software - attackers tools are not different - they are there in order to lower the total cost for those who wants to harm and steal, impersonators and thieves, with the sole intention - profit.
As time advances we are expected to see more and more automation to those processes, more sophisticated obfuscation techniques and mimicking of human behavior getting better all the time.
All of the above factors affect greatly of the success ratio of such tools, either by more refined process or by better stealth tactics that is aimed to throw sand in the eyes of the machines and analysts that are there to protect you.