SlideShare a Scribd company logo

SENTRY MBA Whitepaper.pdf

M
Mayank Dhiman

Sentry MBA Credential Stuffing

Technology
1 of 14
Download to read offline
137 7669 ® A PEEK INTO THE UNDERGROUND ECONOMY by Mayank Dhiman & Will Glazier
[ table of contents ] TABLE OF CONTENTS Executive Summary 1 Sentry MBA Ecosystem Glossary 2 How it works 3 Experiment Dataset 4 Economics 4 Results Target industries 5 Geolocation 6 Target sites 7 Who are the users? 9 Conclusion 10 Sentry.mba platform activity 8
[ executive summary ] 1 EXECUTIVE SUMMARY eb application interfaces are the new frontline in cyber warfare. Using readily available automation tools, criminals are conducting massively high volume attacks through a website’s “front door”. These attacks don’t exploit an application’s vulnerability -- they exploit an application’s func- tionality. In this battleground, the cyber criminal’s attack tool of choice is Sentry MBA. Sentry MBA is sophisticated and effective with built-in defense bypass mechanisms, is extremely customizable, easy to use, and has a thriving underground ecosystem. This report dives deep into that Sentry MBA community by finding an- swers to questions like, how big is the community, what kinds of busi- nesses do they target, how much money does the community make, who are its top contributors, and what are the community’s checks and bal- ances. We researched one and a half years’ worth of data, tools, and commu- nications involving 5 Sentry MBA related communities, which gives us a snapshot of the ecosystem. Sample findings: W • The community is built on a “trust-but-verify” culture. • During the time-window of our study, only 0.5% of the com- munity members earned 97% of ~$10k traded by the entire community. • Of the 1,853 target websites, the top three target industries were online gaming (14.46%), Entertainment (8.96%), and eCommerce (7.90%). • 98 websites in Alexa’s top 1000 had a custom Sentry MBA configuration attack file. • Of the 1,853 target websites, the configs were downloaded a total of 11729 times. KEY FINDINGS
[ Glossary ] [ Sentry MBA Ecosystem ] GLOSSARY Credential Verification is a niche among crackers. As with any other niche, these crackers have developed a vocabulary about this tool. 2 SentryMBA; or Sentry; or MBA These are variants in the name for the same tool Config A “configuration” file is written against each target with instructions for SentryMBA on how to login and how to differentiate between failed and successful logins for that particular target. Writing Config files is one of the main ways to monetize in this criminal ecosystem. Proxyless; or Pless A config file is proxyless if no proxies are included with it. Combos; or Combolist; or Wordlist Each config requires a list of credential combinations (usually, user- name password; or email password) Leecher Leeching a config means copying a config from one site and posting it on another. A Leecher is the person involved in this activity. Capture A SentryMBA config may contain an optional capture setting, which has instructions for “capturing” certain account information like account balance upon a successful login. This enables attackers to understand the value of a compromised account without logging back in again.
3 HOW IT WORKS Email Password LOGIN LOGIN Attacker procures a config file & stolen credentials from the underground markets, and loads them into SentryMBA. 1 2 Attacker configures SentryMBA and launches the attack campaign. [ How it Works ] [ Sentry MBA Ecosystem ] Attack traffic is distributed through proxies, cloud providers, and/or rented botnets to evade detection. 3 Distributed attack traffic tests all the stolen credentials - returning those that work. The value in these accounts can then be compro- mised manually or “captured” in order to be resold. 4 Combo List (stolen credentials) + (attack target) Config File SentryMBA is extremely easy to learn and use, drastically lowering the barriers of entry for attackers like script kiddies.
[ Dataset ] [ Experiment ] 4 DATASET We analyzed popular underground cracking forums which focus on credential exploitation attacks and specialize in trading config files for SentryMBA. These 3 forums have active SentryMBA communities, among other cracking activities like selling compromised accounts or other custom tools. These forums were primarily used for data validation purposes. • 3,579 config files from 5 forums (1,853 from sentry.mba) • Config files posted over a 11/2 year period • Analyzed 17,079 attacker profiles • 326 API configs posted across the 5 forums - representing nearly 10% of configs sentry.mba This site is dedicated exclusively to trading Config files for Sentry MBA. The site is quite active, and has been around since mid-2015. 1,853 configs This is a very popular cracking forum that has substantial activ- ity for SentryMBA Configs. Most Configs on this forum are available for free upon registration. crackingking.com 903 configs crackingforum.com 316 configs crackingleaks.com 376 configs cracking.zone 131 configs Our dataset consists of a cross-section of the most popular SentryMBA specific cracking forums, allowing us visibility into a significant portion of the attacker ecosystem.
[ Target Industries ] [ Results ] 5 77 configs $1.02 avg cost HOSTING 101 configs $1.12 avg cost SOCIAL NETWORKS 102 configs $1.47 avg cost VPN TARGET INDUSTRIES XXX 137 configs $1.69 avg cost ADULT 148 configs $1.54 avg cost E-COMMERCE 8 configs avg cost $5.22 FINANCE $1.51 avg cost 168 configs ENTERTAI N M E N T 22 configs avg cost $4.27 HEALTHCARE 28 configs avg cost $2.74 EDUCATION 31 configs avg cost $1.59 BITCOIN 47 configs avg cost $0.90 SPORTS 51 configs avg cost $0.90 ADVERTISING 62 configs $5.77 avg cost RETAIL 65 configs $3.75 avg cost FOOD 271 configs $2.34 avg cost G A M ING 67 configs $1.48 avg cost SOFTWARE 73 configs $0.89 avg cost CRACKING The above industries are often targeted by Sentry MBA attackers. Included is the number and average cost of configs posted per industry. All major industries are actively under attack. Some face a disproportionate volume of traffic such as Gaming, Enter- tainment & E-Commerce. Finance and Retail Configs are the most expensive, and rare. This is symptomatic of SentryMBA being a script kiddie tool.
[ Target Geolocation ] [ Results ] 6 50 54 75 772 36 33 16 13 10 10 GEOLOCATION OF TARGETS 235 12 7 4 10 4 3 3 3 Targets are distributed across 42 different countries with US companies being hit the hardest (78.0%). Sentry.mba has the widest geodistribution of targets.
[ Target Sites ] [ Results ] 7 POPULAR TARGET SITES 335Downloads 214Downloads 134Downloads 125Downloads 290Downloads Universal Email Access Checker 227Downloads * Reposted 41 times 884Downloads * Reposted 25 times 314Downloads * Reposted 22 times 289Downloads * Reposted 19 times 137Downloads * Reposted 14 times 115Downloads 80Downloads Popular Streaming, Gaming and Social Networking websites are also the most popular targets. This is an indicator of attackers being script kiddies.
[ Alexa Rankings ] [ Results ] 8 TARGET ALEXA RANKINGS Popular websites are also more popular among attackers. However, in terms of sheer num- bers, these attacks are mostly targeted against mid-market targets. AT A GLANCE... 10% Of the ALEXA Top 1000 have a SentryMBA config available in the underground market 20 Of the ALEXA Top 100 are being actively targeted by configs. 184 The number of API configs available for download (on sentry.mba) 11,729 Total number of downloads of SentryMBA config files 1,205 Total number unique target sites on Sentry.MBA
' ! ! ! ! # #% !% % $ # % # #$ ' ' ' ' ' (
The Top 5 Most Expensive Config Files: ($35.00 - $50.00) On sentry.mba config files are traded via the site specific vir- tual currency called gold coins. One gold coin is equivalent to $0.01 and can be trade via bitcoins. On other forums, there is often a section for free configs and a more selective premium config section, which can only be joined once the user’s repu- tation is high enough. ECONOMICS 9 [ Economics ] [ Results ] • There were at least a total of 11,729 unique attacks launched over the past 11/2 years. • The average cost of a config is very low. Hence it is very easy for script kiddies to get started with these attacks. • The total amount which exchanged hands was $10,000. Hence the lucrative activity for attackers is not creating the configs, but taking over accounts. Multiple factors contribute to the cost of a config, includ- ing: the “scarcity” of the config in underground forums, the value of an individual compromised account, the ease of selling these compromised accounts, the organization’s security defenses in place, the time required to write the config file, and so forth. Popular websites are also more popular among attackers. However, in terms of sheer num- bers, these attacks are mostly targeted against mid-market targets.
[ Sentry.MBA Users ] [ Results ] 10 WHO ARE THE ATTACKERS? USER HIERARCHY 1 Administrator 4Moderators Moderate content ban users.... 6 Verifiers Verify config files vendors.... 68 Vendors Can post content (You just need to ping any of the Admins/Moderators to become a vendor and pay $20) (This came into picture only after Feb 24, 2017. Before that anyone could post content). + Normal Users 16,920 There are about 17,079 registered users on the Sentry. MBA platform. Of those users, only 390 have ever posted a config file, demonstrating that a small subset of users are the most active. The top 10 authors posted over 550 con- figs, representing over 30% of all config files ever posted. The top author - a user by the name “Terbz” posted 116 config files. The credential exploitation problem continues to wors- en, as waves of attackers continue to join the forums. The current defenses are failing and the barriers to entry for attackers are low. Number of new registered users 10/3/15 1/11/16 4/20/16 7/29/16 11/6/16 2/14/17 5/25/17 20 40 60 80 100 120
[ Conclusion ] 11 CONCLUSION entry MBA is one of the most popular underground cracking tools, and while this report focuses on it primarily, there is an abundance of under- ground cracking tools available on black markets. Some of these are even custom built to attack a particular site, a problem that occurs more frequent- ly with larger enterprises. Stealth Security will continue to release research on this underground activity as we discover more. For now we leave you with some key takeaways about SentryMBA. S • There is an thriving ecosystem around SentryMBA which seems to be growing • Underground ecosystems like Sentry.mba have contributed to the explosion in use of these tools, enabling those without the skills or prior experience to experiment with cracking and attack enterprises, causing substan- tial losses. • The number of cracking configs available is in the thousands. This problem is growing and won’t go away anytime soon. • This problem effects a broad array of industries and large enterprises as they have more assets to protect. • API is an emerging target compared to Web. • The config files aren’t the most expensive component for the attacker. They aren’t making a lot of money from it. KEY TAKEAWAYS

Recommended

Addressing the Top 3 Real-world Security Challenges for Your IBM i Systems
Addressing the Top 3 Real-world Security Challenges for Your IBM i SystemsAddressing the Top 3 Real-world Security Challenges for Your IBM i Systems
Addressing the Top 3 Real-world Security Challenges for Your IBM i Systems
Precisely
 
Men in the Server Meet the Man in the Browser
Men in the Server Meet the Man in the BrowserMen in the Server Meet the Man in the Browser
Men in the Server Meet the Man in the Browser
Source Conference
 
20140313_tu_delft
20140313_tu_delft20140313_tu_delft
20140313_tu_delft
University of Twente
 
20150311 bit module7_tbk_bit_lecture
20150311 bit module7_tbk_bit_lecture20150311 bit module7_tbk_bit_lecture
20150311 bit module7_tbk_bit_lecture
University of Twente
 
20160316_tbk_bit_module7
20160316_tbk_bit_module720160316_tbk_bit_module7
20160316_tbk_bit_module7
University of Twente
 
Tierpoint webinar: Multi-vector DDoS attacks: detection and mitigation_Jan2016
Tierpoint webinar: Multi-vector DDoS attacks: detection and mitigation_Jan2016Tierpoint webinar: Multi-vector DDoS attacks: detection and mitigation_Jan2016
Tierpoint webinar: Multi-vector DDoS attacks: detection and mitigation_Jan2016
TierPoint
 
comparing-approaches-for-web-dns-infrastructure-security-white-paper
comparing-approaches-for-web-dns-infrastructure-security-white-papercomparing-approaches-for-web-dns-infrastructure-security-white-paper
comparing-approaches-for-web-dns-infrastructure-security-white-paper
Renny Shen
 
Diving Into the Evil Internet: Vulnerability Prioritization Through the Eyes ...
Diving Into the Evil Internet: Vulnerability Prioritization Through the Eyes ...Diving Into the Evil Internet: Vulnerability Prioritization Through the Eyes ...
Diving Into the Evil Internet: Vulnerability Prioritization Through the Eyes ...
DevOps.com
 

Recommended

Addressing the Top 3 Real-world Security Challenges for Your IBM i Systems
Addressing the Top 3 Real-world Security Challenges for Your IBM i SystemsAddressing the Top 3 Real-world Security Challenges for Your IBM i Systems
Addressing the Top 3 Real-world Security Challenges for Your IBM i Systems
Precisely
 
Men in the Server Meet the Man in the Browser
Men in the Server Meet the Man in the BrowserMen in the Server Meet the Man in the Browser
Men in the Server Meet the Man in the Browser
Source Conference
 
20140313_tu_delft
20140313_tu_delft20140313_tu_delft
20140313_tu_delft
University of Twente
 
20150311 bit module7_tbk_bit_lecture
20150311 bit module7_tbk_bit_lecture20150311 bit module7_tbk_bit_lecture
20150311 bit module7_tbk_bit_lecture
University of Twente
 
20160316_tbk_bit_module7
20160316_tbk_bit_module720160316_tbk_bit_module7
20160316_tbk_bit_module7
University of Twente
 
Tierpoint webinar: Multi-vector DDoS attacks: detection and mitigation_Jan2016
Tierpoint webinar: Multi-vector DDoS attacks: detection and mitigation_Jan2016Tierpoint webinar: Multi-vector DDoS attacks: detection and mitigation_Jan2016
Tierpoint webinar: Multi-vector DDoS attacks: detection and mitigation_Jan2016
TierPoint
 
comparing-approaches-for-web-dns-infrastructure-security-white-paper
comparing-approaches-for-web-dns-infrastructure-security-white-papercomparing-approaches-for-web-dns-infrastructure-security-white-paper
comparing-approaches-for-web-dns-infrastructure-security-white-paper
Renny Shen
 
Diving Into the Evil Internet: Vulnerability Prioritization Through the Eyes ...
Diving Into the Evil Internet: Vulnerability Prioritization Through the Eyes ...Diving Into the Evil Internet: Vulnerability Prioritization Through the Eyes ...
Diving Into the Evil Internet: Vulnerability Prioritization Through the Eyes ...
DevOps.com
 
The Cyber Attack Risk
The Cyber Attack RiskThe Cyber Attack Risk
The Cyber Attack Risk
Skyport Systems
 
Defending Your IBM i Against Malware
Defending Your IBM i Against MalwareDefending Your IBM i Against Malware
Defending Your IBM i Against Malware
Precisely
 
CrowdSec - Smart Money Round deck
CrowdSec - Smart Money Round deckCrowdSec - Smart Money Round deck
CrowdSec - Smart Money Round deck
CrowdSec
 
Cyber security series advanced persistent threats
Cyber security series advanced persistent threats Cyber security series advanced persistent threats
Cyber security series advanced persistent threats
Jim Kaplan CIA CFE
 
ITrust Whitepaper: Top 10 vulnerabilities
ITrust Whitepaper: Top 10 vulnerabilitiesITrust Whitepaper: Top 10 vulnerabilities
ITrust Whitepaper: Top 10 vulnerabilities
ITrust - Cybersecurity as a Service
 
Newsletter connect - June 2016
Newsletter connect - June 2016Newsletter connect - June 2016
Newsletter connect - June 2016
Arish Roy
 
Top 10 Software to Detect & Prevent Security Vulnerabilities from BlackHat US...
Top 10 Software to Detect & Prevent Security Vulnerabilities from BlackHat US...Top 10 Software to Detect & Prevent Security Vulnerabilities from BlackHat US...
Top 10 Software to Detect & Prevent Security Vulnerabilities from BlackHat US...
Mobodexter
 
aMs Southeast Asia 2021 : Insider risk protection and containment in microsof...
aMs Southeast Asia 2021 : Insider risk protection and containment in microsof...aMs Southeast Asia 2021 : Insider risk protection and containment in microsof...
aMs Southeast Asia 2021 : Insider risk protection and containment in microsof...
Mitul Rana
 
Symantec Webinar | How to Detect Targeted Ransomware with MITRE ATT&CK
Symantec Webinar | How to Detect Targeted Ransomware with MITRE ATT&CKSymantec Webinar | How to Detect Targeted Ransomware with MITRE ATT&CK
Symantec Webinar | How to Detect Targeted Ransomware with MITRE ATT&CK
Symantec
 
SYN 220: XenApp and XenDesktop Security Best Practices
SYN 220: XenApp and XenDesktop Security Best Practices SYN 220: XenApp and XenDesktop Security Best Practices
SYN 220: XenApp and XenDesktop Security Best Practices
Citrix
 
Secure coding guidelines
Secure coding guidelinesSecure coding guidelines
Secure coding guidelines
Zakaria SMAHI
 
Phishing Detection using Decision Tree Model
Phishing Detection using Decision Tree ModelPhishing Detection using Decision Tree Model
Phishing Detection using Decision Tree Model
IRJET Journal
 
Dit yvol3iss8
Dit yvol3iss8Dit yvol3iss8
Dit yvol3iss8
Rick Lemieux
 
Application Security Testing for Software Engineers: An approach to build sof...
Application Security Testing for Software Engineers: An approach to build sof...Application Security Testing for Software Engineers: An approach to build sof...
Application Security Testing for Software Engineers: An approach to build sof...
Michael Hidalgo
 
Web–Based CRM Application with Interactive Graphs
Web–Based CRM Application with Interactive GraphsWeb–Based CRM Application with Interactive Graphs
Web–Based CRM Application with Interactive Graphs
Mike Taylor
 
Web–based crm application with interactive graphs
Web–based crm application with interactive graphsWeb–based crm application with interactive graphs
Web–based crm application with interactive graphs
Mike Taylor
 
Project Quality-SIPOCSelect a process of your choice and creat.docx
Project Quality-SIPOCSelect a process of your choice and creat.docxProject Quality-SIPOCSelect a process of your choice and creat.docx
Project Quality-SIPOCSelect a process of your choice and creat.docx
wkyra78
 
Too Small to Get Hacked? Think Again (Webinar)
Too Small to Get Hacked? Think Again (Webinar)Too Small to Get Hacked? Think Again (Webinar)
Too Small to Get Hacked? Think Again (Webinar)
OnRamp
 
IT Security for Nonprofits
IT Security for NonprofitsIT Security for Nonprofits
IT Security for Nonprofits
Community IT Innovators
 
Asset Discovery in India – Redhunt Labs
Asset Discovery in India – Redhunt LabsAsset Discovery in India – Redhunt Labs
Asset Discovery in India – Redhunt Labs
RedhuntLabs2
 
Breaking Fraud & Bot detection solutions
Breaking Fraud & Bot detection solutionsBreaking Fraud & Bot detection solutions
Breaking Fraud & Bot detection solutions
Mayank Dhiman
 
Breaking Fraud & Bot Detection Solutions
Breaking Fraud & Bot Detection SolutionsBreaking Fraud & Bot Detection Solutions
Breaking Fraud & Bot Detection Solutions
Mayank Dhiman
 

More Related Content

Similar to SENTRY MBA Whitepaper.pdf

Defending Your IBM i Against Malware
Defending Your IBM i Against MalwareDefending Your IBM i Against Malware
Defending Your IBM i Against Malware
Precisely
 
Cyber security series advanced persistent threats
Cyber security series advanced persistent threats Cyber security series advanced persistent threats
Cyber security series advanced persistent threats
Jim Kaplan CIA CFE
 
Application Security Testing for Software Engineers: An approach to build sof...
Application Security Testing for Software Engineers: An approach to build sof...Application Security Testing for Software Engineers: An approach to build sof...
Application Security Testing for Software Engineers: An approach to build sof...
Michael Hidalgo
 
Project Quality-SIPOCSelect a process of your choice and creat.docx
Project Quality-SIPOCSelect a process of your choice and creat.docxProject Quality-SIPOCSelect a process of your choice and creat.docx
Project Quality-SIPOCSelect a process of your choice and creat.docx
wkyra78
 
Too Small to Get Hacked? Think Again (Webinar)
Too Small to Get Hacked? Think Again (Webinar)Too Small to Get Hacked? Think Again (Webinar)
Too Small to Get Hacked? Think Again (Webinar)
OnRamp
 

Similar to SENTRY MBA Whitepaper.pdf (20)

The Cyber Attack Risk
The Cyber Attack RiskThe Cyber Attack Risk
The Cyber Attack Risk
 
Defending Your IBM i Against Malware
Defending Your IBM i Against MalwareDefending Your IBM i Against Malware
Defending Your IBM i Against Malware
 
CrowdSec - Smart Money Round deck
CrowdSec - Smart Money Round deckCrowdSec - Smart Money Round deck
CrowdSec - Smart Money Round deck
 
Cyber security series advanced persistent threats
Cyber security series advanced persistent threats Cyber security series advanced persistent threats
Cyber security series advanced persistent threats
 
ITrust Whitepaper: Top 10 vulnerabilities
ITrust Whitepaper: Top 10 vulnerabilitiesITrust Whitepaper: Top 10 vulnerabilities
ITrust Whitepaper: Top 10 vulnerabilities
 
Newsletter connect - June 2016
Newsletter connect - June 2016Newsletter connect - June 2016
Newsletter connect - June 2016
 
Top 10 Software to Detect & Prevent Security Vulnerabilities from BlackHat US...
Top 10 Software to Detect & Prevent Security Vulnerabilities from BlackHat US...Top 10 Software to Detect & Prevent Security Vulnerabilities from BlackHat US...
Top 10 Software to Detect & Prevent Security Vulnerabilities from BlackHat US...
 
aMs Southeast Asia 2021 : Insider risk protection and containment in microsof...
aMs Southeast Asia 2021 : Insider risk protection and containment in microsof...aMs Southeast Asia 2021 : Insider risk protection and containment in microsof...
aMs Southeast Asia 2021 : Insider risk protection and containment in microsof...
 
Symantec Webinar | How to Detect Targeted Ransomware with MITRE ATT&CK
Symantec Webinar | How to Detect Targeted Ransomware with MITRE ATT&CKSymantec Webinar | How to Detect Targeted Ransomware with MITRE ATT&CK
Symantec Webinar | How to Detect Targeted Ransomware with MITRE ATT&CK
 
SYN 220: XenApp and XenDesktop Security Best Practices
SYN 220: XenApp and XenDesktop Security Best Practices SYN 220: XenApp and XenDesktop Security Best Practices
SYN 220: XenApp and XenDesktop Security Best Practices
 
Secure coding guidelines
Secure coding guidelinesSecure coding guidelines
Secure coding guidelines
 
Phishing Detection using Decision Tree Model
Phishing Detection using Decision Tree ModelPhishing Detection using Decision Tree Model
Phishing Detection using Decision Tree Model
 
Dit yvol3iss8
Dit yvol3iss8Dit yvol3iss8
Dit yvol3iss8
 
Application Security Testing for Software Engineers: An approach to build sof...
Application Security Testing for Software Engineers: An approach to build sof...Application Security Testing for Software Engineers: An approach to build sof...
Application Security Testing for Software Engineers: An approach to build sof...
 
Web–Based CRM Application with Interactive Graphs
Web–Based CRM Application with Interactive GraphsWeb–Based CRM Application with Interactive Graphs
Web–Based CRM Application with Interactive Graphs
 
Web–based crm application with interactive graphs
Web–based crm application with interactive graphsWeb–based crm application with interactive graphs
Web–based crm application with interactive graphs
 
Project Quality-SIPOCSelect a process of your choice and creat.docx
Project Quality-SIPOCSelect a process of your choice and creat.docxProject Quality-SIPOCSelect a process of your choice and creat.docx
Project Quality-SIPOCSelect a process of your choice and creat.docx
 
Too Small to Get Hacked? Think Again (Webinar)
Too Small to Get Hacked? Think Again (Webinar)Too Small to Get Hacked? Think Again (Webinar)
Too Small to Get Hacked? Think Again (Webinar)
 
IT Security for Nonprofits
IT Security for NonprofitsIT Security for Nonprofits
IT Security for Nonprofits
 
Asset Discovery in India – Redhunt Labs
Asset Discovery in India – Redhunt LabsAsset Discovery in India – Redhunt Labs
Asset Discovery in India – Redhunt Labs
 

More from Mayank Dhiman

More from Mayank Dhiman (9)

Breaking Fraud & Bot detection solutions
Breaking Fraud & Bot detection solutionsBreaking Fraud & Bot detection solutions
Breaking Fraud & Bot detection solutions
 
Breaking Fraud & Bot Detection Solutions
Breaking Fraud & Bot Detection SolutionsBreaking Fraud & Bot Detection Solutions
Breaking Fraud & Bot Detection Solutions
 
Automation Attacks At Scale
Automation Attacks At ScaleAutomation Attacks At Scale
Automation Attacks At Scale
 
Breaking and Fixing Content-Based Filtering
Breaking and Fixing Content-Based FilteringBreaking and Fixing Content-Based Filtering
Breaking and Fixing Content-Based Filtering
 
Helping People Walk the Narrow Path
Helping People Walk the Narrow PathHelping People Walk the Narrow Path
Helping People Walk the Narrow Path
 
Pyongyang Fortress
Pyongyang FortressPyongyang Fortress
Pyongyang Fortress
 
Spy vs SPI: Hacking the Stratus ADS-B Transponder
Spy vs SPI: Hacking the Stratus ADS-B Transponder Spy vs SPI: Hacking the Stratus ADS-B Transponder
Spy vs SPI: Hacking the Stratus ADS-B Transponder
 
Sybil Account Detection in OSN
Sybil Account Detection in OSNSybil Account Detection in OSN
Sybil Account Detection in OSN
 
Liar Buyer Fraud, and How to Curb It
Liar Buyer Fraud, and How to Curb ItLiar Buyer Fraud, and How to Curb It
Liar Buyer Fraud, and How to Curb It
 

Recently uploaded

Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Jeffrey Haguewood
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire business
panagenda
 
API Governance and Monetization - The evolution of API governance
API Governance and Monetization - The evolution of API governanceAPI Governance and Monetization - The evolution of API governance
API Governance and Monetization - The evolution of API governance
WSO2
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Safe Software
 
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Victor Rentea
 
UiPath manufacturing technology benefits and AI overview
UiPath manufacturing technology benefits and AI overviewUiPath manufacturing technology benefits and AI overview
UiPath manufacturing technology benefits and AI overview
DianaGray10
 

Recently uploaded (20)

WSO2 Micro Integrator for Enterprise Integration in a Decentralized, Microser...
WSO2 Micro Integrator for Enterprise Integration in a Decentralized, Microser...WSO2 Micro Integrator for Enterprise Integration in a Decentralized, Microser...
WSO2 Micro Integrator for Enterprise Integration in a Decentralized, Microser...
 
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire business
 
DBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor PresentationDBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor Presentation
 
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodPolkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
 
Design Guidelines for Passkeys 2024.pptx
Design Guidelines for Passkeys 2024.pptxDesign Guidelines for Passkeys 2024.pptx
Design Guidelines for Passkeys 2024.pptx
 
JohnPollard-hybrid-app-RailsConf2024.pptx
JohnPollard-hybrid-app-RailsConf2024.pptxJohnPollard-hybrid-app-RailsConf2024.pptx
JohnPollard-hybrid-app-RailsConf2024.pptx
 
API Governance and Monetization - The evolution of API governance
API Governance and Monetization - The evolution of API governanceAPI Governance and Monetization - The evolution of API governance
API Governance and Monetization - The evolution of API governance
 
JavaScript Usage Statistics 2024 - The Ultimate Guide
JavaScript Usage Statistics 2024 - The Ultimate GuideJavaScript Usage Statistics 2024 - The Ultimate Guide
JavaScript Usage Statistics 2024 - The Ultimate Guide
 
Top 10 CodeIgniter Development Companies
Top 10 CodeIgniter Development CompaniesTop 10 CodeIgniter Development Companies
Top 10 CodeIgniter Development Companies
 
How to Check CNIC Information Online with Pakdata cf
How to Check CNIC Information Online with Pakdata cfHow to Check CNIC Information Online with Pakdata cf
How to Check CNIC Information Online with Pakdata cf
 
Quantum Leap in Next-Generation Computing
Quantum Leap in Next-Generation ComputingQuantum Leap in Next-Generation Computing
Quantum Leap in Next-Generation Computing
 
Vector Search -An Introduction in Oracle Database 23ai.pptx
Vector Search -An Introduction in Oracle Database 23ai.pptxVector Search -An Introduction in Oracle Database 23ai.pptx
Vector Search -An Introduction in Oracle Database 23ai.pptx
 
Navigating Identity and Access Management in the Modern Enterprise
Navigating Identity and Access Management in the Modern EnterpriseNavigating Identity and Access Management in the Modern Enterprise
Navigating Identity and Access Management in the Modern Enterprise
 
Simplifying Mobile A11y Presentation.pptx
Simplifying Mobile A11y Presentation.pptxSimplifying Mobile A11y Presentation.pptx
Simplifying Mobile A11y Presentation.pptx
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
 
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ..."I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
 
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
 
UiPath manufacturing technology benefits and AI overview
UiPath manufacturing technology benefits and AI overviewUiPath manufacturing technology benefits and AI overview
UiPath manufacturing technology benefits and AI overview
 
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingRepurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
 

SENTRY MBA Whitepaper.pdf

  • 1. 137 7669 ® A PEEK INTO THE UNDERGROUND ECONOMY by Mayank Dhiman & Will Glazier
  • 2. [ table of contents ] TABLE OF CONTENTS Executive Summary 1 Sentry MBA Ecosystem Glossary 2 How it works 3 Experiment Dataset 4 Economics 4 Results Target industries 5 Geolocation 6 Target sites 7 Who are the users? 9 Conclusion 10 Sentry.mba platform activity 8
  • 3. [ executive summary ] 1 EXECUTIVE SUMMARY eb application interfaces are the new frontline in cyber warfare. Using readily available automation tools, criminals are conducting massively high volume attacks through a website’s “front door”. These attacks don’t exploit an application’s vulnerability -- they exploit an application’s func- tionality. In this battleground, the cyber criminal’s attack tool of choice is Sentry MBA. Sentry MBA is sophisticated and effective with built-in defense bypass mechanisms, is extremely customizable, easy to use, and has a thriving underground ecosystem. This report dives deep into that Sentry MBA community by finding an- swers to questions like, how big is the community, what kinds of busi- nesses do they target, how much money does the community make, who are its top contributors, and what are the community’s checks and bal- ances. We researched one and a half years’ worth of data, tools, and commu- nications involving 5 Sentry MBA related communities, which gives us a snapshot of the ecosystem. Sample findings: W • The community is built on a “trust-but-verify” culture. • During the time-window of our study, only 0.5% of the com- munity members earned 97% of ~$10k traded by the entire community. • Of the 1,853 target websites, the top three target industries were online gaming (14.46%), Entertainment (8.96%), and eCommerce (7.90%). • 98 websites in Alexa’s top 1000 had a custom Sentry MBA configuration attack file. • Of the 1,853 target websites, the configs were downloaded a total of 11729 times. KEY FINDINGS
  • 4. [ Glossary ] [ Sentry MBA Ecosystem ] GLOSSARY Credential Verification is a niche among crackers. As with any other niche, these crackers have developed a vocabulary about this tool. 2 SentryMBA; or Sentry; or MBA These are variants in the name for the same tool Config A “configuration” file is written against each target with instructions for SentryMBA on how to login and how to differentiate between failed and successful logins for that particular target. Writing Config files is one of the main ways to monetize in this criminal ecosystem. Proxyless; or Pless A config file is proxyless if no proxies are included with it. Combos; or Combolist; or Wordlist Each config requires a list of credential combinations (usually, user- name password; or email password) Leecher Leeching a config means copying a config from one site and posting it on another. A Leecher is the person involved in this activity. Capture A SentryMBA config may contain an optional capture setting, which has instructions for “capturing” certain account information like account balance upon a successful login. This enables attackers to understand the value of a compromised account without logging back in again.
  • 5. 3 HOW IT WORKS Email Password LOGIN LOGIN Attacker procures a config file & stolen credentials from the underground markets, and loads them into SentryMBA. 1 2 Attacker configures SentryMBA and launches the attack campaign. [ How it Works ] [ Sentry MBA Ecosystem ] Attack traffic is distributed through proxies, cloud providers, and/or rented botnets to evade detection. 3 Distributed attack traffic tests all the stolen credentials - returning those that work. The value in these accounts can then be compro- mised manually or “captured” in order to be resold. 4 Combo List (stolen credentials) + (attack target) Config File SentryMBA is extremely easy to learn and use, drastically lowering the barriers of entry for attackers like script kiddies.
  • 6. [ Dataset ] [ Experiment ] 4 DATASET We analyzed popular underground cracking forums which focus on credential exploitation attacks and specialize in trading config files for SentryMBA. These 3 forums have active SentryMBA communities, among other cracking activities like selling compromised accounts or other custom tools. These forums were primarily used for data validation purposes. • 3,579 config files from 5 forums (1,853 from sentry.mba) • Config files posted over a 11/2 year period • Analyzed 17,079 attacker profiles • 326 API configs posted across the 5 forums - representing nearly 10% of configs sentry.mba This site is dedicated exclusively to trading Config files for Sentry MBA. The site is quite active, and has been around since mid-2015. 1,853 configs This is a very popular cracking forum that has substantial activ- ity for SentryMBA Configs. Most Configs on this forum are available for free upon registration. crackingking.com 903 configs crackingforum.com 316 configs crackingleaks.com 376 configs cracking.zone 131 configs Our dataset consists of a cross-section of the most popular SentryMBA specific cracking forums, allowing us visibility into a significant portion of the attacker ecosystem.
  • 7. [ Target Industries ] [ Results ] 5 77 configs $1.02 avg cost HOSTING 101 configs $1.12 avg cost SOCIAL NETWORKS 102 configs $1.47 avg cost VPN TARGET INDUSTRIES XXX 137 configs $1.69 avg cost ADULT 148 configs $1.54 avg cost E-COMMERCE 8 configs avg cost $5.22 FINANCE $1.51 avg cost 168 configs ENTERTAI N M E N T 22 configs avg cost $4.27 HEALTHCARE 28 configs avg cost $2.74 EDUCATION 31 configs avg cost $1.59 BITCOIN 47 configs avg cost $0.90 SPORTS 51 configs avg cost $0.90 ADVERTISING 62 configs $5.77 avg cost RETAIL 65 configs $3.75 avg cost FOOD 271 configs $2.34 avg cost G A M ING 67 configs $1.48 avg cost SOFTWARE 73 configs $0.89 avg cost CRACKING The above industries are often targeted by Sentry MBA attackers. Included is the number and average cost of configs posted per industry. All major industries are actively under attack. Some face a disproportionate volume of traffic such as Gaming, Enter- tainment & E-Commerce. Finance and Retail Configs are the most expensive, and rare. This is symptomatic of SentryMBA being a script kiddie tool.
  • 8. [ Target Geolocation ] [ Results ] 6 50 54 75 772 36 33 16 13 10 10 GEOLOCATION OF TARGETS 235 12 7 4 10 4 3 3 3 Targets are distributed across 42 different countries with US companies being hit the hardest (78.0%). Sentry.mba has the widest geodistribution of targets.
  • 9. [ Target Sites ] [ Results ] 7 POPULAR TARGET SITES 335Downloads 214Downloads 134Downloads 125Downloads 290Downloads Universal Email Access Checker 227Downloads * Reposted 41 times 884Downloads * Reposted 25 times 314Downloads * Reposted 22 times 289Downloads * Reposted 19 times 137Downloads * Reposted 14 times 115Downloads 80Downloads Popular Streaming, Gaming and Social Networking websites are also the most popular targets. This is an indicator of attackers being script kiddies.
  • 10. [ Alexa Rankings ] [ Results ] 8 TARGET ALEXA RANKINGS Popular websites are also more popular among attackers. However, in terms of sheer num- bers, these attacks are mostly targeted against mid-market targets. AT A GLANCE... 10% Of the ALEXA Top 1000 have a SentryMBA config available in the underground market 20 Of the ALEXA Top 100 are being actively targeted by configs. 184 The number of API configs available for download (on sentry.mba) 11,729 Total number of downloads of SentryMBA config files 1,205 Total number unique target sites on Sentry.MBA
  • 11. ' ! ! ! ! # #% !% % $ # % # #$ ' ' ' ' ' (
  • 12. The Top 5 Most Expensive Config Files: ($35.00 - $50.00) On sentry.mba config files are traded via the site specific vir- tual currency called gold coins. One gold coin is equivalent to $0.01 and can be trade via bitcoins. On other forums, there is often a section for free configs and a more selective premium config section, which can only be joined once the user’s repu- tation is high enough. ECONOMICS 9 [ Economics ] [ Results ] • There were at least a total of 11,729 unique attacks launched over the past 11/2 years. • The average cost of a config is very low. Hence it is very easy for script kiddies to get started with these attacks. • The total amount which exchanged hands was $10,000. Hence the lucrative activity for attackers is not creating the configs, but taking over accounts. Multiple factors contribute to the cost of a config, includ- ing: the “scarcity” of the config in underground forums, the value of an individual compromised account, the ease of selling these compromised accounts, the organization’s security defenses in place, the time required to write the config file, and so forth. Popular websites are also more popular among attackers. However, in terms of sheer num- bers, these attacks are mostly targeted against mid-market targets.
  • 13. [ Sentry.MBA Users ] [ Results ] 10 WHO ARE THE ATTACKERS? USER HIERARCHY 1 Administrator 4Moderators Moderate content ban users.... 6 Verifiers Verify config files vendors.... 68 Vendors Can post content (You just need to ping any of the Admins/Moderators to become a vendor and pay $20) (This came into picture only after Feb 24, 2017. Before that anyone could post content). + Normal Users 16,920 There are about 17,079 registered users on the Sentry. MBA platform. Of those users, only 390 have ever posted a config file, demonstrating that a small subset of users are the most active. The top 10 authors posted over 550 con- figs, representing over 30% of all config files ever posted. The top author - a user by the name “Terbz” posted 116 config files. The credential exploitation problem continues to wors- en, as waves of attackers continue to join the forums. The current defenses are failing and the barriers to entry for attackers are low. Number of new registered users 10/3/15 1/11/16 4/20/16 7/29/16 11/6/16 2/14/17 5/25/17 20 40 60 80 100 120
  • 14. [ Conclusion ] 11 CONCLUSION entry MBA is one of the most popular underground cracking tools, and while this report focuses on it primarily, there is an abundance of under- ground cracking tools available on black markets. Some of these are even custom built to attack a particular site, a problem that occurs more frequent- ly with larger enterprises. Stealth Security will continue to release research on this underground activity as we discover more. For now we leave you with some key takeaways about SentryMBA. S • There is an thriving ecosystem around SentryMBA which seems to be growing • Underground ecosystems like Sentry.mba have contributed to the explosion in use of these tools, enabling those without the skills or prior experience to experiment with cracking and attack enterprises, causing substan- tial losses. • The number of cracking configs available is in the thousands. This problem is growing and won’t go away anytime soon. • This problem effects a broad array of industries and large enterprises as they have more assets to protect. • API is an emerging target compared to Web. • The config files aren’t the most expensive component for the attacker. They aren’t making a lot of money from it. KEY TAKEAWAYS