Blog | 28th Jan 2022 / 13:42

How OpenBullet is used and abused by cybercriminals

Yasmin Duggal Cybersecurity Content Specialist

What is OpenBullet? 

OpenBullet is a testing suite of software allowing users to perform requests on a target web application. The open source tool can be found on GitHub and is used by businesses for various legitimate purposes including scraping and parsing data and automated penetration testing.

Although designed to aid security professionals, in the wrong hands OpenBullet can be abused for the opposite purpose. Since mid-2019, OpenBullet has been gaining popularity with cybercriminals when it took over from Sentry MBA as the most popular tool for credential stuffing and fake account creation.

How to use OpenBullet as a developer 

OpenBullet was originally released in April 2019 on GitHub as a penetration testing tool intended for security researchers.

OpenBullet allows a user to import prebuilt configuration files, or “configs”, for each website to be tested. These OpenBullet configs can be modified as needed, a mandatory feature since websites tend to make slight adjustments to user experience to counter credential stuffing attempts.

The tool has its own dedicated forum offering the latest version of OpenBullet but cautioning against using it for credential cracking. However, cracking tutorials on YouTube, cracking communities, and hacking forums instruct users how to use OpenBullet configs for malicious purposes like account takeover.

The decline of Sentry MBA and the rise of OpenBullet 

For a while, Sentry MBA was the most popular and widely used credential stuffing tool, and the most recognizable in credential stuffing attacks and subsequent account fraud. Like most tools of its type, it has a user interface that allows the uploading of base credential lists and proxies, and a screen where results are logged.

Other similar tools developed by adversaries to execute credential stuffing and account fraud include:

  • Vertex
  • SNIPR
  • Private Keeper
  • Account Hitman
  • BlackBullet

In cracking communities, users have commented that OpenBullet surpasses Sentry MBA and others listed above as their config files are outdated, with few making config files for those tools anymore. While configs for Sentry MBA and other tools can still be found within such communities, there has been an uptick in OpenBullet configs for sale on cracking forums. These include configs for popular websites and services such as a Netflix and Microsoft Azure.

.

How OpenBullet is abused by cybercriminals for credential stuffing 

While OpenBullet seems on the surface to be a useful tool for developers, how do cybercriminals use OpenBullet to execute account fraud?

Adversaries are becoming far more advanced with the tools they use to execute account fraud. We have moved to a world where credentials are readily available online, even on public-facing forums and social media, making credential stuffing ever easier, cheaper and profitable for attackers. The shift to mass remote working has exacerbated this activity, as more personal information and sensitive documents are stored in the cloud.

What is credential stuffing?

A credential stuffing attack is a type of cyber-attack where hackers use stolen or leaked username and password pairs to gain access to user accounts. The term “credential stuffing” is used because the attackers are literally stuffing (i.e., submitting) the stolen credentials into login pages and other registration forms on multiple sites to gain access to accounts. 

Cybercriminals started using OpenBullet as a standalone credential stuffing tool in 2019. The tool is now regularly used for various account takeover purposes across various targeted industries. Like many other credential stuffing tools, OpenBullet requires certain inputs to operate and test a targeted web or mobile application, such as a configuration file, wordlist and target URL. And, like other tools, its success relies upon the prevalence of password reuse.

Why is OpenBullet appealing to cybercriminals? 

According to Digital Shadows, OpenBullet was mentioned 35% more than other credential stuffing tools including Sentry MBA across online criminal locations between January and June 2020. Its popularity is largely down to its ability to customize existing configs and its open source status, which means it is:

  • Free to download and use
  • Regularly updated with new features
  • Sparing in its CPU usage
  • Simple to use for those new to the tool
  • Supported by an active, dedicated community

OpenBullet in action 

We now know in theory how OpenBullet is used by adversaries with malicious intent, but how does this work in practice?

Luckily for hackers, OpenBullet is user-friendly yet highly advanced tool. Adversaries input the URL they wish to hack, load in the relevant config and add a list of credentials taken from the dark web.

There are dozens of advanced controls such as setting appropriate cookies needed to pass through the login page or changing proxying settings, and you can even set a designated time stamp so you can go away and let the request run itself.

Once “Start” is pressed, OpenBullet fires thousands of username and password combinations to the desired website, reporting in seconds whether the requests were successful or not. The credentials that provided a successful match are then used manually to crack into accounts to commit online fraud.

How OpenBullet is used by cybercriminals
How OpenBullet is used by cybercriminals to execute a credential stuffing attack

The results can be sent to a Discord server or URL, even logging cookies so adversaries can go back to a website and browse as if they have logged in. The highly configurable, fast and advanced features of OpenBullet make for a breeding ground of credential stuffing.

OpenBullet vs. JavaScript-based bot detection 

Many organizations still reply on outdated security solutions which are ineffective against OpenBullet.

For example, OpenBullet now has built-in CAPTCHA and JavaScript bypass features. Standard bot detection tools try to detect automated attacks by injecting JavaScript code into the monitored web application and collecting signals. The JavaScript code is exposed by web inspection tools and is easily seen by attackers, who can then work out how to get around it.

Another problem is that bot detection solutions require protection in place for every entry point. If even one entry point or API is left exposed, criminals will eventually detect it by methodically testing endpoints by, for example, using OpenBullet.

Sophisticated bot detection prevents credential stuffing through tools like OpenBullet using machine learning. By focusing on analyzing the behavior of the bots, malicious attempts are stopped and genuine login attempts are prioritized.

Professionalization of hackers means OpenBullet abuse is getting worse 

 “Just as legitimate software developers find success through creating user-friendly programs and offering regular updates and user support, so do the bad guys.”

Matthew Gracey-McMinn, Head of Threat Research at Netacea, quoted in Infosecurity Magazine.

Tools like OpenBullet make illegal hacking simple, cheap and accessible. The professionalization of hacking groups and the dark web has enabled a new generation of amateur hackers that can disrupt businesses without extensive technical knowledge, using open source, user-friendly tools.

As credential stuffing is accessible to anyone online, every business is at risk of attack. For businesses, investing in security solutions able to defend against tools like OpenBullet is essential for remaining secure.

Bots can't hurt your business
with Netacea on the job
Imagine a world where your site traffic is free from bots that prey on your
users and take a bite out of bottom lines. Netacea brings that world to life.
 

Related posts: 

Yasmin Duggal is a technical writer at Netacea specializing in cybersecurity. In her current role in the marketing team, she works closely with the Threat Research team to produce detailed yet accessible content on the latest trends within bot management and the wider cybersecurity landscape. In her previous position at a cloud hosting company, she gained experience working with professionals from across the tech industry.
 

Related Resources

American Big Box Retailer Cuts API Abuse By 84%, Elimi...

04th Mar 2022 / 12:14 VIEW case study

Customer Loyalty: How are bots exploiting business logic?

28th Jun 2021 / 16:32 VIEW whitepaper

The Bot Management Review: Separating Bot Fact from Fi...

16th Mar 2022 / 10:48 VIEW guide