According to Verizon’s latest annual data breach study, last year “63% of confirmed data breaches involved leveraging weak/default/stolen passwords.” In many cases, intruders rely on reused, stolen or default passwords to launch credential staffing attacks against organizations of all sizes.

Most users' password hygiene leaves much to be desired: end-users continue to stubbornly use weak or default passwords and password reuse across multiple applications continues to be a widespread phenomena. Password reuse in particular has serious implications for security, as hackers can easily gain access to multiple accounts after stealing someone’s credentials just once.

The amount of compromised user credentials that are being sold, traded and shared in hacking forums, online marketplaces and the Dark Web is staggering. 2016 was especially rife in this regard, with millions of user credentials stolen in numerous high-profile breaches. Just to name a few, DropBox breach resulted in 68 million compromised user credentials, and 200 million login-password combinations ended up on the Dark Web after the latest Yahoo! Breach.

The ease with which data flows across digital channels puts an alarming amount of users’ personal information at risk. Yet, not only do individuals suffer when their credentials are compromised, but compromised credentials are often used to exploit an organization’s cyber defense weaknesses.

One method that cybercriminals use to steal personal information is called a credential stuffing attack. It works just as it sounds: using a cracking tool, such as widely available Sentry MBA, hackers test the security of an application by testing – or “stuffing” – a large number of stolen credentials against the application with the hope of finding a legitimate match in order to accomplish account take-overs.

Credential stuffing attacks give hackers yet another way of manipulating weak spots in your cybersecurity for their gain. Because a Sentry MBA tool is freely and widely available, extremely effective and easy to operate, it’s bound to be the preferred weapon of choice until the hackers can be stopped.

Crackers Aren’t Hackers but they are dangerous nonetheless

“Cracking” is the act of obtaining unauthorized access into a computer system without the user’s permission and knowledge. Cracking doesn’t require extensive hacking knowledge and capabilities, but rather persistence and the dogged repetition of tricks that exploit common weaknesses in a targeted system.

Professional hackers with advanced knowledge and skills, consider crackers to be less educated versions of themselves, and refer to them as “script kiddies” or “newbies” because they do not create their own attack tools. They ‘simply’ steal or buy ready-made cracking tools for malicious intent or personal gain. There are many crackers out there, but the good news is they are easier to identify and stop than hackers.

Sentry MBA tool itself is easily accessible online. Dark Web forums will show crackers searching for lessons and tips of the trade. It’s just one place where they can also easily obtain configs to augment the Sentry MBA tool so it can be used in an attack against specific websites. Aside from being free and a widely-available modular software, Sentry MBA has gained popularity because of it’s user-friendly interface. In addition, it is extremely effective, because it is common for people to reuse the same credentials across multiple applications. In a recent interview with TechCity, Facebook CSO Alex Stamos claims that password reuse represents the biggest security risk to individuals and organizations online. According to Stamos, advanced attacks against organisations usually start with phishing or reused passwords. A cracker can’t go wrong with a Sentry MBA tool: It’s free, easy to use, efficient, effective and takes the full advantage of weak, default and reused passwords

Sentry MBA has functions to mitigate traditional online login form security controls, such as IP rate limits and blacklists, and it has the capability to bypass third-party security controls that a targeted website might use.

Two-Factor Authentication (2FA) is a really good defence against stuffing attacks. However, it is frequently not a feasible option, as there are significant deployment and usability impacts to consider. Using CAPTCHA is another method frequently used to stop stuffing tools. However, there are services that will bypass even stronger forms of CAPTCHA at a ridiculously low price (some of them will be using actual humans to manually bypass CAPTCHA controls).

Crackers Exploit a Vulnerability for Credential Stuffing

Sentry MBA relies on the lack of restrictions against automated attacks such as credential stuffing. It exploits the improper control of interaction frequency and the improper enforcement of a single, unique action. This vulnerability is also known as Insufficient Anti-Automation Vulnerability, which occurs when a web application permits the attacker to automate a process that was originally designated only for manual users.

According to the Open Web Application Security Project, credential stuffing is an emerging threat. It is one of the most common attacks on web and mobile applications, and is capable of breaching sites that do not have what are considered to be traditional security vulnerabilities. These attacks put at risk consumers, who are the compromised account owners, and organizations, which are the web application providers.

Here’s how a credential stuffing attack unfolds:

A cracker obtains dumps of leaked credential combinations from paste sites, sharing sites or underground marketplaces. Hundreds of millions of stolen user credentials to feed in the stuffing tools are easily available cheaply to anyone who is interested.

The cracker uses the Sentry MBA tool to test the credential combinations against a target’s online login web page.

Successful logins allow the cracker to take over the account matching the stolen credentials.

The cracker then drains stolen accounts of stored value, credit card numbers and other personal identifiable information

The threat actor can sell the stolen account information or use it for other malicious intentions.

Stuffing Attacks Can Be Detected and Stopped

Instructions on how to use Sentry MBA isn’t limited to, underground Dark Web communities. A simple search on YouTube will show dozens of how-to videos, and a quick search on Twitter or Facebook will reveal threat actors sharing their Sentry MBA “config” files or a dump of stolen credentials.

It’s no wonder why credential stuffing attacks are pervasive,and tools like Sentry MBA make such attacks especially easy and cheap. Unfortunately, many organizations can’t differentiate between such an attack and regular login activities. Many don’t even know credential stuffing and Sentry MBA exist. There are ways to detect and mitigate credential stuffing attacks. If you want to learn how, download the CyberInt whitepaper “Sentry MBA: A Tale on the Most Widespread Used Credential Stuffing Attack Tool.”