How OpenBullet is used and abused by cybercriminals
What is OpenBullet?
OpenBullet is a testing suite of software allowing users to perform requests on a target web application. The open source tool can be found on GitHub and is used by businesses for various legitimate purposes including scraping and parsing data and automated penetration testing.
Although designed to aid security professionals, in the wrong hands OpenBullet can be abused for the opposite purpose. Since mid-2019, OpenBullet has been gaining popularity with cybercriminals when it took over from Sentry MBA as the most popular tool for credential stuffing and fake account creation.
How to use OpenBullet as a developer
OpenBullet was originally released in April 2019 on GitHub as a penetration testing tool intended for security researchers.
OpenBullet allows a user to import prebuilt configuration files, or “configs”, for each website to be tested. These OpenBullet configs can be modified as needed, a mandatory feature since websites tend to make slight adjustments to user experience to counter credential stuffing attempts.
The tool has its own dedicated forum offering the latest version of OpenBullet but cautioning against using it for credential cracking. However, cracking tutorials on YouTube, cracking communities, and hacking forums instruct users how to use OpenBullet configs for malicious purposes like account takeover.
The decline of Sentry MBA and the rise of OpenBullet
For a while, Sentry MBA was the most popular and widely used credential stuffing tool, and the most recognizable in credential stuffing attacks and subsequent account fraud. Like most tools of its type, it has a user interface that allows the uploading of base credential lists and proxies, and a screen where results are logged.
Other similar tools developed by adversaries to execute credential stuffing and account fraud include:
- Private Keeper
- Account Hitman
In cracking communities, users have commented that OpenBullet surpasses Sentry MBA and others listed above as their config files are outdated, with few making config files for those tools anymore. While configs for Sentry MBA and other tools can still be found within such communities, there has been an uptick in OpenBullet configs for sale on cracking forums. These include configs for popular websites and services such as a Netflix and Microsoft Azure.
How OpenBullet is abused by cybercriminals for credential stuffing
While OpenBullet seems on the surface to be a useful tool for developers, how do cybercriminals use OpenBullet to execute account fraud?
Adversaries are becoming far more advanced with the tools they use to execute account fraud. We have moved to a world where credentials are readily available online, even on public-facing forums and social media, making credential stuffing ever easier, cheaper and profitable for attackers. The shift to mass remote working has exacerbated this activity, as more personal information and sensitive documents are stored in the cloud.
What is credential stuffing?
A credential stuffing attack is a type of cyber-attack where hackers use stolen or leaked username and password pairs to gain access to user accounts. The term “credential stuffing” is used because the attackers are literally stuffing (i.e., submitting) the stolen credentials into login pages and other registration forms on multiple sites to gain access to accounts.
Cybercriminals started using OpenBullet as a standalone credential stuffing tool in 2019. The tool is now regularly used for various account takeover purposes across various targeted industries. Like many other credential stuffing tools, OpenBullet requires certain inputs to operate and test a targeted web or mobile application, such as a configuration file, wordlist and target URL. And, like other tools, its success relies upon the prevalence of password reuse.
Why is OpenBullet appealing to cybercriminals?
According to Digital Shadows, OpenBullet was mentioned 35% more than other credential stuffing tools including Sentry MBA across online criminal locations between January and June 2020. Its popularity is largely down to its ability to customize existing configs and its open source status, which means it is:
- Free to download and use
- Regularly updated with new features
- Sparing in its CPU usage
- Simple to use for those new to the tool
- Supported by an active, dedicated community
OpenBullet in action
We now know in theory how OpenBullet is used by adversaries with malicious intent, but how does this work in practice?
Luckily for hackers, OpenBullet is user-friendly yet highly advanced tool. Adversaries input the URL they wish to hack, load in the relevant config and add a list of credentials taken from the dark web.
There are dozens of advanced controls such as setting appropriate cookies needed to pass through the login page or changing proxying settings, and you can even set a designated time stamp so you can go away and let the request run itself.
Once “Start” is pressed, OpenBullet fires thousands of username and password combinations to the desired website, reporting in seconds whether the requests were successful or not. The credentials that provided a successful match are then used manually to crack into accounts to commit online fraud.
The results can be sent to a Discord server or URL, even logging cookies so adversaries can go back to a website and browse as if they have logged in. The highly configurable, fast and advanced features of OpenBullet make for a breeding ground of credential stuffing.
Many organizations still reply on outdated security solutions which are ineffective against OpenBullet.
Another problem is that bot detection solutions require protection in place for every entry point. If even one entry point or API is left exposed, criminals will eventually detect it by methodically testing endpoints by, for example, using OpenBullet.
Sophisticated bot detection prevents credential stuffing through tools like OpenBullet using machine learning. By focusing on analyzing the behavior of the bots, malicious attempts are stopped and genuine login attempts are prioritized.
Professionalization of hackers means OpenBullet abuse is getting worse
“Just as legitimate software developers find success through creating user-friendly programs and offering regular updates and user support, so do the bad guys.”
– Matthew Gracey-McMinn, Head of Threat Research at Netacea, quoted in Infosecurity Magazine.
Tools like OpenBullet make illegal hacking simple, cheap and accessible. The professionalization of hacking groups and the dark web has enabled a new generation of amateur hackers that can disrupt businesses without extensive technical knowledge, using open source, user-friendly tools.
As credential stuffing is accessible to anyone online, every business is at risk of attack. For businesses, investing in security solutions able to defend against tools like OpenBullet is essential for remaining secure.
with Netacea on the job
users and take a bite out of bottom lines. Netacea brings that world to life.
- The Impact of Credential Stuffing on Credit Unions
- How Fraudsters Bypass MFA to Get into Banks, Brokers and Crypto Wallets
- 5 Steps to Proving Your Business Needs Bot Management