2. [ table of contents ]
TABLE OF CONTENTS
Executive Summary 1
Sentry MBA Ecosystem
Glossary 2
How it works 3
Experiment
Dataset 4
Economics 4
Results
Target industries 5
Geolocation 6
Target sites 7
Who are the users? 9
Conclusion 10
Sentry.mba platform activity 8
3. [ executive summary ]
1
EXECUTIVE SUMMARY
eb application interfaces are the new frontline in cyber warfare. Using
readily available automation tools, criminals are conducting massively
high volume attacks through a website’s “front door”. These attacks don’t
exploit an application’s vulnerability -- they exploit an application’s func-
tionality.
In this battleground, the cyber criminal’s attack tool of choice is Sentry
MBA. Sentry MBA is sophisticated and effective with built-in defense
bypass mechanisms, is extremely customizable, easy to use, and has a
thriving underground ecosystem.
This report dives deep into that Sentry MBA community by finding an-
swers to questions like, how big is the community, what kinds of busi-
nesses do they target, how much money does the community make, who
are its top contributors, and what are the community’s checks and bal-
ances.
We researched one and a half years’ worth of data, tools, and commu-
nications involving 5 Sentry MBA related communities, which gives us a
snapshot of the ecosystem. Sample findings:
W • The community is built on a “trust-but-verify” culture.
• During the time-window of our study, only 0.5% of the com-
munity members earned 97% of ~$10k traded by the entire
community.
• Of the 1,853 target websites, the top three target industries
were online gaming (14.46%), Entertainment (8.96%), and
eCommerce (7.90%).
• 98 websites in Alexa’s top 1000 had a custom Sentry MBA
configuration attack file.
• Of the 1,853 target websites, the configs were downloaded
a total of 11729 times.
KEY FINDINGS
4. [ Glossary ]
[ Sentry MBA Ecosystem ]
GLOSSARY Credential Verification is a niche among crackers. As with any other
niche, these crackers have developed a vocabulary about this tool.
2
SentryMBA; or Sentry; or MBA
These are variants in the name for the same tool
Config
A “configuration” file is written against each target with instructions
for SentryMBA on how to login and how to differentiate between failed
and successful logins for that particular target. Writing Config files is
one of the main ways to monetize in this criminal ecosystem.
Proxyless; or Pless
A config file is proxyless if no proxies are included with it.
Combos; or Combolist; or Wordlist
Each config requires a list of credential combinations (usually, user-
name password; or email password)
Leecher
Leeching a config means copying a config from one site and posting
it on another. A Leecher is the person involved in this activity.
Capture
A SentryMBA config may contain an optional capture setting, which
has instructions for “capturing” certain account information like
account balance upon a successful login. This enables attackers
to understand the value of a compromised account without logging
back in again.
5. 3
HOW IT WORKS
Email
Password
LOGIN
LOGIN
Attacker procures a config file & stolen credentials
from the underground markets, and loads them into
SentryMBA.
1
2 Attacker configures SentryMBA and
launches the attack campaign.
[ How it Works ]
[ Sentry MBA Ecosystem ]
Attack traffic is distributed through proxies, cloud
providers, and/or rented botnets to evade detection.
3
Distributed attack traffic tests all the stolen
credentials - returning those that work. The
value in these accounts can then be compro-
mised manually or “captured” in order to be
resold.
4
Combo List
(stolen credentials)
+
(attack target)
Config File
SentryMBA is extremely easy to learn and
use, drastically lowering the barriers of entry
for attackers like script kiddies.
6. [ Dataset ]
[ Experiment ]
4
DATASET
We analyzed popular underground cracking forums which focus
on credential exploitation attacks and specialize in trading config
files for SentryMBA.
These 3 forums have active SentryMBA
communities, among other cracking activities
like selling compromised accounts or other
custom tools. These forums were primarily
used for data validation purposes.
• 3,579 config files from 5 forums (1,853 from sentry.mba)
• Config files posted over a 11/2 year period
• Analyzed 17,079 attacker profiles
• 326 API configs posted across the 5 forums -
representing nearly 10% of configs
sentry.mba
This site is dedicated exclusively
to trading Config files for Sentry
MBA. The site is quite active, and
has been around since mid-2015.
1,853
configs
This is a very popular cracking
forum that has substantial activ-
ity for SentryMBA Configs. Most
Configs on this forum are available
for free upon registration.
crackingking.com
903
configs crackingforum.com
316
configs
crackingleaks.com
376
configs
cracking.zone
131
configs
Our dataset consists of a cross-section of the most popular
SentryMBA specific cracking forums, allowing us visibility
into a significant portion of the attacker ecosystem.
7. [ Target Industries ]
[ Results ]
5
77
configs
$1.02
avg cost
HOSTING
101
configs
$1.12
avg cost
SOCIAL NETWORKS
102
configs
$1.47
avg cost
VPN
TARGET INDUSTRIES
XXX
137
configs
$1.69
avg cost
ADULT
148
configs
$1.54
avg cost
E-COMMERCE
8
configs
avg cost
$5.22
FINANCE
$1.51
avg cost
168
configs
ENTERTAI
N
M
E
N
T
22
configs
avg cost
$4.27
HEALTHCARE
28
configs
avg cost
$2.74
EDUCATION
31
configs
avg cost
$1.59
BITCOIN
47
configs
avg cost
$0.90
SPORTS
51
configs
avg cost
$0.90
ADVERTISING
62
configs
$5.77
avg cost
RETAIL
65
configs
$3.75
avg cost
FOOD
271
configs
$2.34
avg cost
G
A
M
ING
67
configs
$1.48
avg cost
SOFTWARE
73
configs
$0.89
avg cost
CRACKING
The above industries are often targeted by Sentry MBA attackers.
Included is the number and average cost of configs posted per
industry.
All major industries are actively under attack. Some face a
disproportionate volume of traffic such as Gaming, Enter-
tainment & E-Commerce. Finance and Retail Configs are
the most expensive, and rare. This is symptomatic of
SentryMBA being a script kiddie tool.
8. [ Target Geolocation ]
[ Results ]
6
50
54
75
772
36
33
16
13
10 10
GEOLOCATION OF TARGETS
235
12
7
4
10
4
3
3
3
Targets are distributed across 42 different countries
with US companies being hit the hardest (78.0%).
Sentry.mba has the widest geodistribution of targets.
9. [ Target Sites ]
[ Results ]
7
POPULAR TARGET SITES
335Downloads
214Downloads
134Downloads 125Downloads
290Downloads
Universal Email Access Checker
227Downloads
* Reposted 41 times
884Downloads
* Reposted 25 times
314Downloads
* Reposted 22 times
289Downloads
* Reposted 19 times
137Downloads
* Reposted 14 times
115Downloads
80Downloads
Popular Streaming, Gaming and Social Networking
websites are also the most popular targets.
This is an indicator of attackers being script kiddies.
10. [ Alexa Rankings ]
[ Results ]
8
TARGET ALEXA RANKINGS
Popular websites are also more popular among
attackers. However, in terms of sheer num-
bers, these attacks are mostly targeted against
mid-market targets.
AT A GLANCE...
10% Of the ALEXA Top 1000 have a SentryMBA
config available in the underground market
20 Of the ALEXA Top 100 are being
actively targeted by configs.
184 The number of API configs available for download
(on sentry.mba)
11,729 Total number of downloads of
SentryMBA config files
1,205 Total number unique target sites on Sentry.MBA
12. The Top 5 Most Expensive Config Files:
($35.00 - $50.00)
On sentry.mba config files are traded via the site specific vir-
tual currency called gold coins. One gold coin is equivalent to
$0.01 and can be trade via bitcoins. On other forums, there is
often a section for free configs and a more selective premium
config section, which can only be joined once the user’s repu-
tation is high enough.
ECONOMICS
9
[ Economics ]
[ Results ]
• There were at least a total of 11,729 unique
attacks launched over the past 11/2 years.
• The average cost of a config is very low. Hence it is
very easy for script kiddies to get started with these
attacks.
• The total amount which exchanged hands was
$10,000. Hence the lucrative activity for
attackers is not creating the configs, but taking
over accounts.
Multiple factors contribute to the cost of a config, includ-
ing: the “scarcity” of the config in underground forums,
the value of an individual compromised account, the ease
of selling these compromised accounts, the organization’s
security defenses in place, the time required to write the
config file, and so forth.
Popular websites are also more popular among
attackers. However, in terms of sheer num-
bers, these attacks are mostly targeted against
mid-market targets.
13. [ Sentry.MBA Users ]
[ Results ]
10
WHO ARE THE ATTACKERS? USER HIERARCHY
1 Administrator
4Moderators
Moderate content
ban users....
6 Verifiers
Verify config files
vendors....
68 Vendors
Can post content (You just need to
ping any of the Admins/Moderators
to become a vendor and pay $20)
(This came into picture only after
Feb 24, 2017. Before that anyone
could post content).
+
Normal Users
16,920
There are about 17,079 registered users on the Sentry.
MBA platform. Of those users, only 390 have ever posted
a config file, demonstrating that a small subset of users are
the most active. The top 10 authors posted over 550 con-
figs, representing over 30% of all config files ever posted.
The top author - a user by the name “Terbz” posted 116
config files.
The credential exploitation problem continues to wors-
en, as waves of attackers continue to join the forums.
The current defenses are failing and the barriers to
entry for attackers are low.
Number of new registered users
10/3/15 1/11/16 4/20/16 7/29/16 11/6/16 2/14/17 5/25/17
20
40
60
80
100
120
14. [ Conclusion ]
11
CONCLUSION
entry MBA is one of the most popular underground cracking tools, and
while this report focuses on it primarily, there is an abundance of under-
ground cracking tools available on black markets. Some of these are even
custom built to attack a particular site, a problem that occurs more frequent-
ly with larger enterprises. Stealth Security will continue to release research
on this underground activity as we discover more. For now we leave you with
some key takeaways about SentryMBA.
S
• There is an thriving ecosystem around
SentryMBA which seems to be growing
• Underground ecosystems like
Sentry.mba have contributed to the
explosion in use of these tools, enabling
those without the skills or prior
experience to experiment with cracking
and attack enterprises, causing substan-
tial losses.
• The number of cracking configs
available is in the thousands. This problem is
growing and won’t go away anytime soon.
• This problem effects a broad array of industries
and large enterprises as they have more assets to
protect.
• API is an emerging target compared to Web.
• The config files aren’t the most expensive
component for the attacker. They aren’t
making a lot of money from it.
KEY TAKEAWAYS