My motto — as my colleagues will attest — is:

If it’s not documented it doesn’t exist

Let’s make the term exist.

Exploring the world of cybercrime I note the differing jargon used by developers, sysadmins and (pen)testers when describing a threat landscape. If you search for “brute checker” you won’t come across a single news article or even a Wikipedia page giving you a centralised definition. (okay, I just created a shitty redirect but my point stands ) So what’s a brute checker and why should you care? We’ll need a few components.

Check account existence

You might think having purchased a bunch of accounts and passwords hot off the darknet that you’d be ready to start logging in to them, but that would be a mistake. Instead you want to validate the existence of the account at all with a ‘username enumeration’ approach. There are a number of ways of doing this:

Attempt ‘forgotten password’

Automate a registration with the email address in question

Many other meta data validation methods.

Twitter for example, offers a simple web parameter to check whether an email address is already registered:

https://twitter.com/users/email_available?email=zuck%40fb.com

Don’t forget to mail zuck. ;)

Once you’ve confirmed the account exists — something typically less secured and rate limited — you can test a login.

Actual login checker

Unlike a more dynamic worm type configuration, a login checker is a script that has been customised to test the login for a specific website.

To login to a very basic website you may need only make a http POST with a username and password. Modern logins are much more complex featuring, site and session cookies, captchas and sometimes browser calculations, because nearly all sites don’t want automated logins, that’s what they have APIs for.

Developers and testers, make your website logins easy for humans using browsers and hard for scripts if you want to increase the attacker’s costs here. If your average cybercrook could do this, they are likely better off getting a job as a junior web developer, and thus there is a commercial market for these scripts.

Sometimes it’s easier to circumvent the web interface altogether such as testing login via IMAP in the case of email services.

Circumventing network security

So we’ve developed or purchased a relatively sophisticated login script. It can verify registration, break captchas, deal with dynamic elements and is customised to do just enough work to test if an account is working. Let’s now add some multi threading (running lots of these in parallel) so we can performer a credential stuffing attack against a given website. However for major websites, multiple successful or unsuccessful logins will lead to your IP being quickly banned. Requests will be subject to IP rate-limiting either natively or via security add-ons like Cloudflare.

This is where the ‘brute’ part of the checker comes in, not because of a similarity with a brute-force attack, because of the force necessary to overcome this common defense strategy. At this point you’re expected to bring-your-own-proxy-network. There are many strategies for aquiring such a network:

Write crawlers to regularly harvest and test open proxy listing websites (and yes, there are scripts for this),

Rent a farm of proxies from an underground crime forum or market

Build your own proxy farm via distributing malware and compromising machines

Abuse services like major web hosting platforms which provides lots of IP address space if you know how to get at it efficiently. [December 2018 update —4 months after Amazon refused to fix this, Amazon blocked domain fronting, bastards]

Putting it together

With the appropriate login checker and proxy lists to call upon, crooks can turn a single password breach into multiple account breaches, and clean out dozens of accounts within hours of the compromise.

The product for sale? A site-customised brute-checker that can churn through thousands of stolen accounts and credentials in no-time.

This one was customised for eBay

The most laudable part about the distribution of brute checkers is that they often contain viruses, so we have that.

Don’t do crimes kids.