Upon witnessing a menace actor seizing control of the Golden account of Google’s Mandiant division and promoting a cryptocurrency hoax, my interest was piqued by this new prevalent phenomenon. This incident was just one of several occurrences in recent weeks (HERE).
A modern illicit market trend
Establishing a presence on a well-known social media platform, formerly identified as Twitter (now known as X), is crucial for nurturing brand recognition and visibility. The impact carried by a tweet displaying the esteemed blue checkmark is widely acknowledged. Originally associated with a rigorous verification process, these badges underwent a change following Elon Musk’s takeover of Twitter, enabling them to be openly purchased.
Currently, the scenario has evolved, with Twitter introducing a variety of paid characteristics. Organizations can not only acquire the standard blue checkmark but can also upgrade their standing with the ‘Golden’ label for businesses and the ‘Grey’ classification for non-governmental organizations and governmental bodies. This trio of classifications (blue, golden, and grey) is obtainable through a monthly subscription model.
In the obscure areas of dark web forums and marketplaces, a specialized segment closely monitors activities linked to social media transactions. Recent findings demonstrate a surge in postings within these sectors, where menace actors are actively marketing accounts flaunting Twitter Gold verification. Intriguingly, parallel advertisements have emerged on Telegram channels, indicating a widespread expansion of malevolent schemes reliant on the possession of a Twitter Gold account. This flourishing trend necessitates vigilant monitoring to forestall potential malicious endeavors.
As per the CloudSEK report (HERE) the prices may fluctuate within a range depending on the sold social media, the “badge level,” and the number of followers.
Diverse menace actors operating across both the visible and obscured layers of the internet have asserted assertions related to the acquisition of Twitter Gold accounts. Some notable instances include:
One actor divulged to our source an offer of 15 inactive accounts on a weekly basis, to be subsequently promoted to gold memberships by the purchaser. This equates to over 720 accounts annually, each valued at USD 35, accumulating to slightly over USD 500 for 15 corporate and inactive Twitter accounts.
Additional promotions explicitly listed the firms available for sale. Depending on the brand and followers associated with these accounts, those adorned with a golden badge were valued between USD 1200 and USD 2000.
Facilitating these negotiations is an intermediary, accountable for validating the legitimacy of the accounts from sellers and ensuring the transfer of funds from the buyer.
Sellers also present the option to boost the followers of the acquired accounts, providing an expansion ranging from 30,000 to 50,000 followers for as little as USD 135.
Purchasers are granted the capacity to add multiple partners free of cost. However, after exceeding a specified number of partners linked to an existing gold account for X, the buyer is mandated to remit USD 50 per partner. This provision suggests that the sub-account is closely associated or affiliated with the primary Gold account of X.
Employed Strategies
The attacker utilizes the following methods in order to grant access to social media:
1- Promoters, frequently individuals, manually create accounts, undergo the verification process, and present them as ‘ready for use’ to their customers. This approach is especially appealing to individuals with criminal intent seeking an alternate identity while circumventing direct attribution to their actions.
2- Hackers employ forceful methods on existing accounts, utilizing generic username and password combinations from readily available lists. Cybercrime forums offer a variety of tools and pre-configured setups for free. Prominent tools in this category encompass Open Bullet, SilverBullet, and SentryMBA.
3- Malicious software specializing in data theft operates within a centralized botnet network. This malware extracts credentials from compromised devices, and the acquired data is subsequently verified based on the purchasers’ preferences. These criteria may encompass the type of account (individual or corporate), the number of followers, region-specific accounts, and more.
Sentry MBA
Let’s now delve deeper into Sentry MBA, one of the most utilized tools for forcing Accounts.
Sentry MBA stands out as an automated tool wielded by cyber adversaries to take control of user accounts across prominent websites. Its utilization allows criminals to efficiently assess the validity of millions of usernames and passwords on a specific target platform. This tool has gained notable traction, as evidenced by the Shape Security research team encountering Sentry MBA attack attempts on nearly every website under their protection.
In contrast to historical practices where cybercriminals needed a mastery of intricate web technologies for online attacks, Sentry MBA streamlines the process with its point-and-click graphical user interface. This accessibility, coupled with online support forums and thriving underground marketplaces, has democratized cybercrime, enabling a broader spectrum of individuals to participate without necessitating advanced technical skills, specialized equipment, or insider knowledge.
Sentry MBA incorporates advanced features that circumvent common web application defenses. For instance, it can overcome preventative controls, such as IP blacklists or rate limiting, by leveraging proxies to distribute the attack across numerous IP addresses. Additionally, it can evade detective controls, like referrer checks, by manipulating the “referer” header value. Central to Sentry MBA attacks are “combo” lists, which comprise usernames and passwords.
The tool exploits the widespread practice of password reuse among internet users. If the combo list contains credentials previously valid on other platforms due to breaches or phishing techniques, the attack is termed “credential stuffing.” This approach persists as a prevalent threat, as highlighted by Verizon’s 2015 data breach report, which identifies stolen credentials as the most common attack action against web applications.
Authentication stuffing assaults present a significant obstacle to mitigation endeavors, mainly due to their focus on online user interface components, like sign-in pages, that are inherently open to all web traffic. In a noteworthy instance, malevolent actors leveraging Sentry MBA targeted the stored-value card system of a prominent retail giant, with automation accounting for more than 91% of the visitors to the company’s sign-in page. Despite the adoption of well-established online security protocols, the corporation suffered annual online fraud losses exceeding $25 million.
Breakdown of a Sentry MBA Assault
1. Targeting and Refining the Attack
The commencement of a Sentry MBA assault involves configuring the tool to comprehend the complexities of the target’s sign-in page. An exclusive “config” file incorporates crucial elements such as the sign-in page URL, markers for form navigation, and regulations for constructing valid passwords. Functional configurations for diverse websites are easily accessible on forums devoted to such operations. Following the acquisition of a fundamental functional configuration, assailants utilize Sentry MBA tools to refine and validate the assault setup against the live target site. This includes adjusting the tool to recognize key terms linked to the site’s responses to sign-in attempts, overcoming CAPTCHA challenges through optical character recognition or a repository of potential CAPTCHA images and solutions.
2. Automated Verification of Accounts
Optimized site configurations pave the route for automated account verification. Culprits merely need to input their “combo” file (comprising usernames and passwords) and a “proxy” file into Sentry MBA to begin the assault. Combo files can be procured from various sources on the Darknet and open web, providing lists of pilfered usernames and passwords. Proxy files, which encompass computers utilized by Sentry MBA to conceal the source of the assault, are also readily accessible. Proxies play a crucial role in subverting common application security strategies such as IP reputation filtering and rate restrictions. Compromised computers used as proxies frequently change, nullifying IP blacklists. Proxies also thwart rate limitation defenses by making sign-in attempts seem to originate from a myriad of distinct computers.
3. Financial Gain
Post obtaining valid credentials, cybercriminals seek methods to profit from their achievement. One prevalent tactic involves transferring balances of stored-value gift cards from compromised accounts to cards controlled by the malevolent actor. Platforms like giift.com, giftcardzen.com, and cardpool.com facilitate the conversion of deceitful cards into cash or goods, offering a channel for illicit financial gain.
Essentially, Sentry MBA orchestrates a well-coordinated assault by refining configurations, automating account verification with combo files and proxies, and ultimately empowering malevolent actors to benefit from the obtained credentials. This intricate process underscores the sophisticated nature of authentication stuffing assaults and underscores the necessity for robust security measures to combat these risks.
Final Thoughts
In conclusion, the continuously evolving cyber threat landscape demands a sustained dedication to comprehending and countering the approaches adopted by assailants. The contemporary era witnesses the rise of a troubling trend: the expansion of a new dark market phenomenon. This phenomenon strategically exploits the introduction of payment badges a year ago, serving as a deceitful enticement for unwary users. The subtlety of these tactics underscores the necessity for increased awareness and preemptive cybersecurity measures.
Concurrently, the domain of cybercrime is observing a notable increase in the adoption of automation tools and methodologies. This advance propels malevolent actors to a fresh echelon of sophistication, enabling them to efficiently target a substantial number of victims. The convergence of these trends highlights the dynamic nature of the cybersecurity scene, where adversaries incessantly adjust and refine their techniques.
In response, the cybersecurity community must remain alert, utilizing cutting-edge technologies and cooperative endeavors to outpace evolving threats. By fostering a proactive and adaptable approach, we can collectively strengthen our defenses and alleviate the repercussions of these intricate cyber challenges on individuals, entities, and the digital ecosystem at large.
However, being a target does not equate to being a victim; stay tuned and stay informed.
If you wish to delve deeper into Cyber Threat Intelligence, you may choose to subscribe HERE.
For this post, I utilized the capabilities of AI to refine my text in a more coherent English structure.
About Author
