Blog, Events & News

BACK TO ALL

STORM Cracker/Credential Stuffing Tool - What You Need To Know

By James Billingham / 23rd Aug 2018

Account Takeover at The Click of a Mouse

Account Takeover/credential stuffing (Referred to as ATO from here) tools are readily available to download, with the most well-known weapon of choice selected by hackers being Sentry MBA.

Cracking tools have made ATO attacks extremely easy for even low-tech criminals to profit from automated attacks against any website of choice with little more than a few mouse clicks. This new and emerging attack vector means unsophisticated actors can compromise your customer accounts with little to no knowledge of traditional hacking techniques.

This in combination with the proliferation of stolen or leaked databases has resulted in a recent surge in automated credential stuffing attacks, meaning organisations face round the clock threats from attackers.

In this case, all an attacker requires to cause a security and data risk to any organisation is a pre-configured config for the target, a combo list of emails/usernames and passwords and a “proxy list” of open proxies to direct traffic through in order to evade IP banning and easy detection by law enforcement. The rest is up to the “cracker” and how willing they are to exploit the accounts they have access to.

Sentry MBA is one of the older free tools now, with other paid for tools like Snipr, and many “cracking” forums will even advertise free “checkers” custom built for particular websites. But what is STORM? Does it represent a significant change over the custom checkers and the established tools like Sentry MBA, or is it more of the same? This overview will aim to answer those and more questions.

Overview of the STORM Cracker tool

The version of STORM used for this analysis is version 2.4, released March of 2018. STORM comes as two executables; one “config” builder GUI that aims to make the definition of the input files for a particular target easier, and the Storm utility itself which runs the ATO attacks.

Part #1 - Building an Attack Configuration

The GUI is fairly basic, allowing for loading and saving of the configurations and basic editing of these configs.

In the above screenshot, you can manage, load, edit and save configs. Manipulate the behaviour of the attack and define the URLs, success and failure keys to be extracted from the website response.

For example, this is a fake config of myecom.com, a Commerce-based website, you can see this basic config defines a load of the login form in link1, a post to login in link2 and then loads an offer page in link3 to see if there are any credits to be exploited.

This is a typical ATO config, they’ll login, go straight to the page with the exploitable aspect and extract how many points, bitcoins, etc that are available to be stolen all as part of the config. The attacker then gets a list of all accounts they’ve taken over and how valuable they are, to either resell or exploit themselves.

These stages are all configured in the tool with a moderate level of sophistication, the tool supports SSL, the required proxies for hiding IP and distributing the attacks over seemingly many endpoints. The GUI also has some basic tools for escaping/unescaping strings for HTTP communication.

STORM will continue to develop this config builder CUI, adding further sophisticated control options.

Part #2 - Performing an Attack

The second executable is the tool used to perform a cyber-attack, this runs the configs, takes in the combo list of emails/username and passwords and directs the requests between the list of proxies given.

The combo list and proxy list are loaded here, and the timeouts, the number of threads etc are all configured to run the ATO attack. The output of “hits” where a “combo” of user credentials worked on the attacked site are reported in the UI and written to a folder for the attacker to re-sell or exploit.

There is a basic debug option here, but again it is less complex than Sentry MBA, a single “combo” can be entered and the stages of the attack stepped through to see where it fails.

Another feature this is missing is CAPTCHA defeat, although the ability Sentry MBA has in that regard is only to defeat simple image-based captcha’s. ReCaptcha, FunCaptcha and any of the newer advanced ones are not automated within Sentry, yet.

So, now this is a minor missing feature as there are no tools like this that can defeat any complex captcha within one of these “cracking” toolsets currently advertised on cracking forums. Typically, they target end-points that have no captcha, increasingly mobile interfaces and API endpoints to verify the accounts they have stolen work.

TL;DR – Should I be concerned?

Yes.

STORM can bypass DDoS protection offered by some of the leading CDNs.

    These CDNs will test the “browser” to check if it is a real browser and not an automated tool. STORM do not reveal the approaches they use to bypass these CDN defences, and implementation is seamless to the hacking using the tool, they just point the tool at a protected URL and it bypasses the protection. The Storm code base does include the open source Noesis Javascript library, which allows for server-side execution of Javascript, it is likely this is being used as the basis for this functionality.

    The existence of this type of functionality does indicate the cracking community is aware that Javascript-based checking like this is a challenge, and they are starting to work on ways to defeat it, with some success as shown in the case of STORM.

    API and Mobile application API access points are also targeted.

    These tools also find additional ways to attack in addition to website login pages. They exploit interfaces to systems they want to attack that are not accessed via a web browser like API end-points, Mobile application APIs / end-points.

    Then when they have verified the accounts work they can manually access them via the web interface and exploit them. As more companies attempt to lessen these attack vectors there will inevitably be pressure to defeat and bypass corporate bot detection systems in these cracking tools.

    Future Development and ATO Prevention

    Despite being less complex than the more established Sentry MBA, STORM is being actively developed. The Community donates to the developers, with each version having a target for the developer(s) to release the tool. As the tool progresses its features and reputation in the online “cracker” community those development donations will continue to rise, fuelling faster tool development.

    In the immediate interim, invest in a dedicated ATO prevention solution. Here at Netacea we use a range of approaches to detect ATO activity. At a simple level, the built-in reputational analysis and blacklists of known bad actors can easily weed out the less sophisticated attempts. However, this pool is rapidly shrinking as more complex tools such as STORM are developed and become more widely available.

    To address the remaining attacks, Netacea has developed the leading, artificial intelligence-based Account Takeover detection tool currently available. Netacea Intelligence uses advanced machine learning techniques to detect ATO attempts by spotting patterns of behaviour that indicate suspicious behaviour. This includes spotting indications of an upcoming attack, such as large amounts of fake account creations that can be used to camouflage the real ATO attack, as well as actual attacks themselves.

    If you have any questions or would like to learn more about our approach, sign up for a trial, where you can access the Netacea Credential Stuffing and Bot Management dashboard and test it on your live site.

      Account Takeover