Once again, we have a case of cybercriminals using legitimate web-testing software to exploit weak or stolen credentials. In this instance, the open-source tool in question is called OpenBullet, and it’s a popular tool among penetration testers and web application security professionals.
However, it’s also being used by malicious actors to automate credential-stuffing attacks and other forms of cybercrime. These attacks are not slowing down anytime soon, either. Credential stuffing accounts for 61% of login events in the U.S.
OpenBullet, in particular, is being used to exploit a wide variety of services, including streaming, online shopping, banking, and any online service that requires a login. The cracking community has transitioned into headless tooling, which helps them bypass many modern security solutions.
OpenBullet is a particularly popular headless tool because it’s easily configurable and can be integrated with various automation scripts. Cybercriminals use it to automate distributed attacks at scale.
What is a Credential Stuffing Attack?
A credential stuffing attack is a type of cyberattack where the attacker uses stolen or weak credentials to gain access to a variety of accounts or services. The stolen credentials are usually obtained through data breaches and are then used to log into other accounts, such as email, social media, or financial services.
Credential stuffing attacks are successful because people reuse the same passwords across multiple accounts. Once the attacker has access to one account, they can use the same credentials to try to gain access to other accounts.
Credential stuffing attacks are difficult to defend against because they exploit legitimate credentials. The best way to defend against these attacks is by implementing multi-factor authentication (MFA) or two-factor authentication (2FA). MFA and 2FA add an extra layer of security by requiring the user to provide a second factor, such as a code from their phone or a fingerprint.
How Malicious Actors Use OpenBullet For Account Takeover (ATO)
In addition to credential stuffing, one of the most common uses for OpenBullet is account takeover (ATO). ATO attacks are becoming increasingly common, as they are easy for malicious actors to take over someone’s online account and gain access to sensitive information.
In an ATO attack, the attacker will use OpenBullet to brute force their way into as many accounts as possible. Once they have access to an account, they can change the password and gain complete control.
ATO attacks are becoming increasingly common because they are relatively easy to carry out and can be very lucrative for the attacker. By taking over someone’s account, the attacker can gain access to sensitive information such as credit card numbers, bank account additional information, and more.
Why Credential Stuffing Attacks Are Devastating for Businesses
The effects of credential stuffing attacks are terrible for businesses because they can lead to a loss of customer data, financial losses, and reputational damage.
Here’s a closer look at how grave the consequences can be:
Customer Data Loss
Credential stuffing attacks can lead to the loss of customer data, such as credit card numbers and social security numbers. Cybercriminals often use the data to commit fraud or identity theft. In some cases, they also sell the data on the Dark Web.
There are legal consequences for businesses that lose customer data as well. For example, the General Data Protection Regulation (GDPR) in the European Union imposes heavy fines on companies that expose customer data.
Financial Losses
Businesses can also suffer financial losses as a result of credential stuffing attacks. If an attacker gains access to a business’s customer database, they could make fraudulent charges on the customers’ credit cards.
In other cases, the attacker could make unauthorized withdrawals from the customers’ bank accounts. This can happen if the attacker gains access to the business’s financial accounts.
Organizations can also suffer financial losses as a result of lost productivity. If a business’ email system is down, its employees will not be able to work.
Reputational Damage
Finally, businesses can suffer reputational damage due to credential stuffing attacks. If customers’ personal data is compromised in an attack, they will likely lose trust in the company and take their business elsewhere.
In addition, the business’s competitors could use the attack to their advantage. For example, they could run ads that say, “Don’t worry, we’re not like XYZ Company. We won’t lose your data.”
The Objectives of a Malicious Actor in a Credential Stuffing Attack
A malicious actor’s objective in a credential stuffing attack is to gain access to as many user accounts as possible. Cybercriminals can then exploit these accounts in many ways, including:
- Selling the account information on the Dark Web
- Using the account to commit fraud
- Using the account to spread malware
- Using the account to launch further distributed attacks
To gain access to an account, a cybercriminal must prioritize the following tasks:
Credential Acquisition
First, the actor needs to acquire a list of credentials. They can access credentials through phishing attacks, data breaches, and malware. This is easier than it used to be because there are now many databases of stolen credentials available on the Dark Web.
Credential Validation
The cybercriminal must then validate the credentials to see if they’re still active. The actor tries the credentials on multiple websites to validate them. The number of websites a cybercriminal can try is limited only by the number of proxies they have. Therefore, many cybercriminals use credential stuffing tools to automate the process.
Endpoint Discovery
An endpoint is simply a URL that leads to a specific resource. In each attack, the actor must identify which endpoints to target. For example, they may want to target the login endpoint of a particular website.
Request Profiling
Additionally, the actor must understand how the request is structured. They need to know what parameters are required and in what format they need to be submitted (Ex. JSON, XML, etc.).
Payload Development
Once the actor understands the structure of the request, they can start to develop payloads. A payload is a piece of data used to exploit a vulnerability. In the context of credential stuffing, payloads are typically lists of email addresses and passwords. However, they can also consist of other data, such as credit card numbers or Social Security numbers.
The attacker will use their payloads to generate requests and submit them to the target endpoint automatically. If the request is successful, the actor will gain access to the account. Otherwise, the request will be rejected.
Completing the tasks we mentioned above is not difficult, which means that there is a low barrier to entry for credential stuffing attacks. Even entry-level cybercriminals can quickly launch credential stuffing attacks, so it’s crucial for businesses of all sizes to be aware of the threat. Unfortunately, these attacks are likely to continue being a problem until organizations start taking steps to address them.
Attackers can use OpenBullet to automate many of the tasks required to perform a credential stuffing attack. They can configure the tool to work with almost any website or web application. We’ll dive deeper into how OpenBullet works in a bit.
Cybercriminals’ Motivation for Conducting Credential Stuffing Attacks
Although cybercriminals might exploit accounts in different ways when they conduct credential stuffing attacks, they generally all share the same motivation: to make money.
How do they make money, you ask? Well, it all depends on what type of account they’ve managed to gain access to.
For example, if a cybercriminal gains access to a Netflix account, they might sell the login credentials to each account on the Dark Web for a few dollars.
On the other hand, if they gain access to a corporate email account, they could use it to conduct business email compromise attacks or other types of spear phishing attacks.
A spear phishing attack targets a specific individual or organization. They can be challenging to detect, and they’re often more sophisticated than regular phishing attacks because they leverage additional information about a particular company.
In any case, it’s important to remember that cybercriminals are constantly looking for ways to exploit weak and stolen credentials. This is why it’s so important to use strong, unique passwords for every online account and enable two-factor authentication whenever possible.
Evolution of Technology Used in Credential Stuffing Attacks
Cyberattacks become more sophisticated with each year that passes by. The same is true for the technology used in credential stuffing attacks.
Here is a quick overview of how the technology used in credential stuffing attacks has evolved over the years:
Basic BYO Code
In the early days of credential stuffing, attackers would write their own code to automate the process of testing login credentials. This “build your own” (BYO) approach was time-consuming and required a certain level of technical expertise. Therefore, only experienced, well-funded attackers used it. The entry barrier was relatively high, so attacks conducted using this approach were not as common.
Non-Browser Tools (SNIPR, SentryMBA)
As credential stuffing attacks became more common, attackers began to leverage tools to make the process easier. These “non-browser” tools, such as SNIPR and SentryMBA, were designed to work outside a web browser.
SNIPR is a tool that can be used to test login credentials on a variety of websites and web applications. It’s prevalent among cybercriminals because it’s easy to use and can be configured to work with almost any target.
SentryMBA is another common tool that’s often used in credential stuffing attacks. It’s very similar to SNIPR, but it’s not as widely used.
New technological advancements enabled even non-technical users to launch credential stuffing attacks. All they needed was a list of stolen credentials and the ability to point the tool at the target’s website. Then, they could sit back and watch as the tool did all the work for them.
Browser Tooling (OpenBullet)
The next evolution in credential stuffing attacks came with the development of “browser tooling.” This type of tooling, such as OpenBullet, uses an actual web browser to launch the attack.
OpenBullet works with a variety of web browsers, including Google Chrome, Mozilla Firefox, and Microsoft Edge. It can be configured to work with almost any website or web application.
Browser tooling has a number of advantages over non-browser tools. First, it’s more difficult for security systems to detect and block. Criminals can also use browser tooling to launch more sophisticated attacks that bypass 2FA.
Like we mentioned earlier, 2FA is a security measure that requires users to provide two forms of authentication when logging in to an account. The most common form of 2FA is a code that’s sent to the user’s mobile phone.
But how can a tool get past 2FA? That seems nearly impossible, doesn’t it?
Unfortunately, it’s not as difficult as you might think. In many cases, all the attacker needs is a list of phone numbers that are associated with the target’s online accounts. Then, they can use a technique called “SIM swapping” to hijack the victim’s phone number and bypass 2FA.
SIM swapping is becoming an increasingly common method of bypassing 2FA. And as you can see, it’s just another example of how the technology used in credential stuffing attacks has evolved over the years.
Custom Stealth Tooling
The most sophisticated credential stuffing attacks use “custom stealth tooling.” This type of tooling is specifically designed to evade detection and launch successful attacks.
Custom stealth tooling is often used in targeted attacks against specific organizations. The attackers will create a custom-made Stack, which is a collection of tools and configuration settings.
This Stack is designed to work with the organization’s website and bypass any security measures that are in place. The goal is to gain access to the website and then use it to launch attacks against other devices on the network.
How Does OpenBullet Work?
OpenBullet is an application that allows users to load configuration files (the “Stacks” we mentioned) that automate the process of testing login credentials against multiple websites. The software can be used to test the validity of login credentials, perform brute-force attacks, and check for SQL injection vulnerabilities.
For example, a Stack for Netflix might try a list of email addresses and passwords until it finds one that works. Once a valid set of credentials is found, the attacker can use those credentials to access the victim’s account and abuse it.
How OpenBullet Mimics Human Behavior
OpenBullet is designed to mimic human behavior as closely as possible. It can generate requests that look like they’re coming from a real person, so it can bypass security measures that are designed to detect and block automated attacks.
Here’s how it works:
Using Unique IP Addresses
If a website has rate-limiting in place to prevent too many login attempts from the same IP address, OpenBullet can generate requests that appear to come from different IP addresses. This makes it much harder for the website to detect and block the attack.
Leveraging Proxy Servers
OpenBullet can also be configured to use proxy servers so that each request appears to come from a unique location.
Request Rotation
OpenBullet can rotate between different types of requests to make it harder for security systems to detect and block the attack. For example, it might start by trying to log in with a list of email addresses and passwords. If that doesn’t work, it might try again with a different list of credentials.
By rotating between different types of requests, OpenBullet makes it much harder for security systems to detect and block the attack.
Bypassing CAPTCHA
Despite what you may have heard, CAPTCHA is not an effective tool for blocking credential stuffing attacks. This is because CAPTCHA can be bypassed using automated tools like OpenBullet.
To fool CAPTCHA, cybercriminals can configure OpenBullet to use services that provide CAPTCHA-solving capabilities. These services can be used to solve CAPTCHAs automatically so that the malicious actors can continue the attacks without interruption.
Some CAPTCHA-solving services also provide support for audio CAPTCHAs. Therefore, OpenBullet can bypass CAPTCHA even if the attacker can’t see the CAPTCHA image.
Avoiding Suspicious Activity Detection
OpenBullet can also be configured to avoid detection by suspicious activity detection systems. Criminals can configure OpenBullet to space out requests so they don’t appear to be part of an automated attack.
It can also be configured to use different IP addresses, user agents, and referrers for each request. This makes it much harder for security systems to detect and block the attack.
Bottom line: OpenBullet is a powerful tool that can automate the process of testing login credentials and bypass security measures designed to detect and block automated attacks. If you’re not careful, criminals could exploit OpenBullet to take over your account and abuse it.
How Are Cybercriminals Using It?
Cybercriminals use OpenBullet to automate credential stuffing attacks against various services. In many cases, they use pre-built Stacks readily available online.
In other cases, cybercriminals will create their own Stacks. These custom-made Stacks are often used in targeted attacks against specific organizations. For example, a Stack might be created specifically for the organization’s website. The attacker would then use a list of known or stolen email addresses and passwords to try and gain access to the website.
OpenBullet is also used to attack other types of services, such as online gaming platforms, retail websites, and social media sites. In many cases, the goal is to take over user accounts and use them for malicious purposes. An attacker might use a stolen account to send spam messages, make unapproved purchases, or even commit fraud.
OpenBullet can also attack devices instead of services. For example, an actor might use it to brute-force the login on a router or other type of network device. Once the attacker gains access, they can change the device’s configuration or use it to launch attacks against other devices on the network.
Why OpenBullet is a Popular Choice for Credential Stuffers
Using OpenBullet is so easy that you don’t need any programming experience or technical knowledge. All you need is a list of email addresses and passwords, and you can start launching attacks.
Here are a few reasons why bad actors love using OpenBullet for credential stuffing attacks:
It Works Seamlessly with Puppeteer Headless Browser
OpenBullet can be used with Puppeteer, which is a headless browser that can be used for automating web interactions. This makes it very easy to launch credential stuffing attacks without having to deal with browser windows popping up.
Puppeteer is also fast and accurate, meaning fewer credentials are likely to be rejected by the target site. When combining Puppeteer with a Stealth Plugin, it’s nearly impossible for security systems to detect the attack.
It’s Open Source
OpenBullet is open source, meaning anyone can download and use it for free. This makes it very easy for cybercriminals to get their hands on the tool and start using it for attacks. OpenBullet runs on Windows, Linux, and macOS, making it widely accessible.
Did We Mention It’s Free?
In addition to being open source, OpenBullet is free to use. This means that cybercriminals don’t have to spend any money to launch credential stuffing attacks. All they need is a list of email addresses and passwords, and they’re good to go.
It Offers Advanced Customization Using C#
OpenBullet is highly customizable. This means bad actors can create custom Stacks that are specifically designed to attack a particular organization or website.
For example, they might create a Stack that includes a custom login form. This would make it much harder for security systems to detect and block the attack.
Bad actors can also use C# to write their own custom scripts for OpenBullet. This allows them to automate just about any task, making it very easy to launch attacks.
It Supports Multiple Protocols
OpenBullet supports multiple protocols, making it very versatile. It can be used to attack websites, web applications, devices, and more. This makes it a popular choice for launching credential stuffing attacks against a wide range of targets.
It Integrates with Proxy Lists
OpenBullet integrates with proxy lists, so it can rapidly launch attacks from multiple IP addresses. This makes it more difficult for organizations to detect and stop the attacks.
Bad actors can also use VPNs or other types of proxies to hide their identities and make it more challenging for investigators to track them down.
It Also Integrates with CAPTCHA Solvers
OpenBullet also integrates with CAPTCHA solvers, which means bad actors can bypass CAPTCHA systems that are designed to stop automated attacks. This makes it even easier to launch credential stuffing attacks, as fewer credentials are likely to be rejected.
Cybercriminals can also use CAPTCHA solvers to register new accounts on websites, which can be used for launching other types of attacks or for selling access to the account on the Dark Web.
It Has a User-Friendly Interface
The OpenBullet interface is designed for users of all skill levels, making it a popular choice for launching credential stuffing attacks.
It’s clear why cybercriminals love using OpenBullet for credential stuffing attacks. It’s easy to use, it’s free, and it offers a lot of customization options. This makes it a powerful tool that can be used to launch attacks against a wide range of targets.
There are support communities for OpenBullet where users can share knowledge, tips, and other information about the software. Although many users don’t have malicious intent, some users do share information that can be used for launching attacks. This helps other people learn how to launch attacks and avoid detection. It also helps bad actors keep up with the latest trends in credential stuffing attacks.
The official OpenBullet forum and various Telegram chats are common knowledge-sharing hubs. Additionally, attackers often share stolen credentials on Pastebin and similar websites that allow people to easily share long strings of code.
Forums are an easy way for cybercriminals to share knowledge and collaborate on attacks. On the other hand, they’re also an excellent way for security researchers to learn about new attacks and track the latest trends.
How to Stop Credential Stuffing Attacks That Use OpenBullet
If you want to stop credential stuffing attacks, you can’t just install a CAPTCHA on your website and call it a day.
Instead, you need to take a comprehensive approach that includes implementing strong security measures, monitoring your systems for signs of an attack, and having a plan in place for how to respond if an attack does occur.
Here are some of the best ways to stop credential stuffing attacks:
Implement Strong Authentication Measures
One of the best ways to stop credential stuffing attacks is to implement strong authentication measures. This includes using two-factor authentication (2FA) or multi-factor authentication (MFA).
However, you’ll want to take steps beyond installing 2FA and MFA. One day, credential stuffers may find a way to scale an attack that can bypass these security measures.
Use a Password Manager
A password manager can help you create and store strong, unique passwords for all of your accounts. This makes it much more difficult for credential stuffers to access your accounts because they would need to have the corresponding password for each account.
Monitor Your Systems
You should also monitor your systems for signs of an attack. Here are some red flags to watch out for:
- A sudden increase in failed login attempts
- An increase in account lockouts
- Suspicious activity from IP addresses that are not associated with your organization
- Unexplained changes to account permissions
Have a Response Plan in Place
You should have a plan in place for how to respond if an attack does occur. Your response plan should include the following:
- A way to quickly lock out all compromised accounts
- A process for notifying affected users
- A plan for resetting passwords for all affected accounts
- Steps for reviewing your security measures to determine how the attack occurred and how to prevent it from happening again
Invest in a Bot Mitigation Solution
Investing in a bot mitigation solution is another great way to stop credential stuffing attacks.
A bot mitigation solution can help you detect and block bots before they’re able to launch an attack. Additionally, a bot mitigation solution can help you rate-limit login attempts and block IP addresses that are associated with credential stuffing attacks.
Why Bot Mitigation is No Longer Optional
In the past, bot mitigation wasn’t always necessary because attacks were small in scale and easy to detect. However, times have changed.
Nowadays, credential stuffing attacks are much more sophisticated and difficult to detect. Additionally, they’re often launched on a much larger scale. This means that even a small percentage of successful attacks can cause serious damage.
For these reasons, bot mitigation is no longer optional. If you want to protect your website and your users, you need to invest in a bot mitigation solution.
How to Choose a Bot Mitigation Solution to Beat OpenBullet
The right bot mitigation solution for your organization will depend on the size of your website, the types of attacks you’re most concerned about, and your budget.
Here are a few important features to look for in a bot mitigation solution:
The Ability to Detect and Block Sophisticated Bots
As we mentioned earlier, credential stuffing attacks are getting more sophisticated. This means that you need a bot mitigation solution that can detect and block even the most sophisticated bots.
The ability to rate-limit login attempts is also important. This will help you limit the damage of an attack and give you time to respond.
IP address blocking is another key feature to look for. This will help you block IP addresses that are associated with credential stuffing attacks.
Scalability
As we mentioned earlier, credential stuffing attacks are often launched at a large scale—especially if the attacker uses OpenBullet, designed for large-scale attacks.
You need a bot mitigation solution that can scale to meet your needs. Ideally, you should choose a solution that can be customized to your organization’s specific needs.
Protection for Web, Mobile, and API Channels
Credential stuffing attacks can target any channel, including web, mobile, and API channels.
Choose Kasada as Your Bot Mitigation and Detection Solution
Credential stuffing attacks are a serious threat to any organization. They’re relatively easy to launch and can have devastating consequences, such as data breaches and loss of customer trust.
Kasada is the leading bot mitigation and detection solution that can help you stop credential stuffing attacks. Kasada is designed to detect and block even the most sophisticated bots, rate-limit login attempts, and block IP addresses that are associated with credential stuffing attacks.
Our solution is scalable and can be customized to meet the specific needs of your organization. Kasada protects against attacks on all channels, including web, mobile, and API.
To learn more about how Kasada can help you stop credential stuffing attacks, get started now.
