Upon witnessing a malevolent actor seizing control of Google’s Mandiant division’s X account and promoting a cryptocurrency hoax, my interest was piqued regarding this fresh prevalent phenomenon. This incident was merely one in a series of occurrences in recent weeks (HERE).
An emerging clandestine market trend
Securing a spot on a distinguished social media platform, formerly known as Twitter (now denoted as X), holds significant importance in fostering brand recognition and visibility. The impact carried by a tweet adorned with the highly coveted blue verification badge is widely acknowledged. Initially linked to a stringent authentication process, these certifications underwent a shift after Elon Musk’s takeover of Twitter, enabling them to be openly bought.
Currently, the scenario has progressed, with Twitter rolling out an array of premium features. Entities can not solely obtain the standard blue checkmark but can also enhance their standing with the ‘Golden’ label for companies and the ‘Silver’ identifier for non-governmental organizations and governmental entities. This trio of classifications (blue, golden, and silver) is accessible through a monthly subscription arrangement.
Within the concealed domains of dark web forums and marketplaces, a specialized division closely monitors endeavors linked to social media transactions. Recent reports disclose a surge in posts within these circles, where malicious actors are actively vending accounts flaunting Twitter Golden verification. Intriguingly, parallel promotions have emerged on Telegram channels, hinting at a widespread propagation of malicious tactics revolving around the possession of a Twitter Golden account. This burgeoning tendency necessitates vigilant surveillance to forestall potential malevolent endeavors.
Per the CloudSEK analysis (HERE), the prices exhibit variability depending on the respective social media platform, the “badge tier”, and the follower count.
A diverse set of threat actors operating across the visible and obscured strata of the internet have laid claim to the attainment of Twitter Golden accounts. Standout instances comprise:
An individual divulged to our source an offering of 15 dormant accounts on a weekly basis, subsequently transforming them into golden subscriptions by the purchaser. This translates to over 720 accounts annually, each tagged at USD 35, rounding up to slightly over USD 500 for 15 inactive corporate Twitter accounts.
Further advertisements explicitly listed the purchasable corporations. Depending on the brand and follower base affiliated with these accounts, those furnished with a golden badge were valued between USD 1200 and USD 2000.
Facilitating these transactions is an intermediary, tasked with verifying the legitimacy of the accounts from sellers and overseeing the fund transfer from the buyer.
Sellers also offer the alternative to amplify the followers of the acquired accounts, extending an augmentation ranging from 30,000 to 50,000 followers for as meager as USD 135.
Buyers are granted the liberty to introduce multiple associates at no cost. Nevertheless, once surpassing a specified count of affiliates linked to an existing X golden account, the buyer is mandated to remit USD 50 per affiliate. This clause indicates that the sub-account is intricately tied or associated with the primary Golden account of X.
Utilized Methodologies
The aggressor employs the subsequent methodologies to enable access to social media:
1- Marketers, frequently individuals, manually craft accounts, undergo the verification process, and present them as ‘prepped for utilization’ for their clientele. This approach is particularly appealing to individuals with criminal intentions seeking an alternate identity while steering clear of direct attribution to their activities.
2- Cyber felons employ forceful techniques on prevailing accounts, leveraging generic username and password combinations from readily available listings. Cybercrime forums proffer an assortment of utilities and pre-configured setups for free. Noteworthy tools falling into this category encompass Open Bullet, SilverBullet, and SentryMBA.
3- Malicious software specializing in data pilferage functions within a centralized botnet network. This software extracts credentials from compromised devices, and the amassed data is subsequently authenticated based on the requirements of the buyers. These criteria could consist of the account type (individual or corporate), follower count, region-specific accounts, and more.
Sentry MBA
Let’s delve deeper into Sentry MBA, one of the most utilized tools for Account (brute) force attempts.
Sentry MBA emerges as an automated tool employed by cyber adversaries to seize command of user accounts across premier websites. Its usage enables criminals to efficiently vet the legitimacy of myriad usernames and passwords on a particular target portal. This tool has garnered substantial traction, as evidenced by the Shape Security research team encountering Sentry MBA assault attempts on nearly every website under their protection.
Unlike historical practices necessitating cybercriminals to possess a mastery of intricate web technologies for online assaults, Sentry MBA streamlines the process with its intuitive graphical user interface. This accessibility, coupled with online support forums and flourishing subterranean marketplaces, has democratized cybercrime, empowering a broader spectrum of individuals to engage without mandating advanced technical acumen, specialized equipment, or insider insight.
Sentry MBA integrates sophisticated functionalities that circumvent typical web application defenses. For instance, it can surmount preventative measures like IP blacklists or rate limiting by leveraging proxies to distribute the assault across various IP addresses. Additionally, it can bypass detective controls, such as referrer checks, by manipulating the “referer” header value. At the core of Sentry MBA assaults lie “combo” lists, encompassing usernames and passwords.
The tool exploits the widespread phenomenon of password reuse among denizens of the internet. If the combo list contains credentials previously valid on other platforms due to data breaches or phishing tactics, the assault is termed “credential stuffing.” This modus operandi persists as a prevalent menace, as underscored by Verizon’s 2015 data breach report, identifying pilfered credentials as the most common attack vector against web applications.
Challenges from credential stuffing attacks present a significant obstacle to mitigation efforts, mainly because they focus on online user interface components, such as log-in pages, which are inherently open to all Internet traffic. In a notable instance, hackers using Sentry MBA targeted the stored-value card program of a major retail firm, with automation making up over 91% of the traffic on the company’s login page. Despite implementing established best practices for online security, the corporation experienced online fraud losses exceeding $25 million annually.
Breakdown of a Sentry MBA Attack
1. Targeting and Enhancement of Attacks
The start of a Sentry MBA attack involves setting up the tool to grasp the nuances of the target’s login page. A specialized “config” file includes crucial elements like the login page URL, field markers for navigating forms, and guidelines for constructing valid passwords. Functional configurations for different websites are easily accessible on forums devoted to such activities. Once armed with a basic operational configuration, attackers use Sentry MBA tools to refine and test the attack setup against the live target website. This involves configuring the tool to recognize keywords linked to the website’s responses to login attempts, overcoming CAPTCHA challenges through optical character recognition or a database of potential CAPTCHA images and answers.
2. Automated Checking of Accounts
Optimized site setups pave the way for automated account checking. Attackers simply need to input their “combo” file (containing usernames and passwords) and a “proxy” file into Sentry MBA to initiate the assault. Combo files can be obtained from various sources on the Darknet and open web, offering lists of stolen usernames and passwords. Proxy files, comprising computers used by Sentry MBA to hide the attack’s origin, are also readily accessible. Proxies play a key role in evading common application defense strategies like IP reputation filtering and rate limiting. Compromised computers utilized as proxies constantly change, rendering IP blacklists ineffective. Proxies also counter rate limiting defenses by making login attempts seem to originate from numerous different computers.
3. Monetization Strategy
After acquiring valid credentials, cybercriminals look for ways to profit from their success. One common tactic involves transferring balances of stored-value gift cards from compromised accounts to cards controlled by the cybercriminal. Platforms like giift.com, giftcardzen.com, and cardpool.com facilitate the conversion of fraudulent cards into cash or merchandise, offering an avenue for illicit financial gain.
Essentially, Sentry MBA orchestrates a coordinated attack by refining configurations, automating account checking with combo files and proxies, and ultimately enabling cybercriminals to exploit compromised credentials for profit. This intricate process highlights the sophisticated nature of credential stuffing attacks and underscores the necessity for robust security measures to combat these threats effectively.
Closing Thoughts
To sum up, the ever-changing realm of cyber threats demands a continuous commitment to comprehending and countering the tactics employed by attackers. The present era sees the rise of a troubling trend: the expansion of a new dark market phenomenon. This phenomenon strategically utilizes the introduction of payment badges a year ago, acting as a deceptive bait for unsuspecting users. The subtlety of these strategies emphasizes the need for increased awareness and proactive cybersecurity measures.
Concurrently, the domain of cybercrime witnesses a notable uptick in the adoption of automation tools and techniques. This advancement propels cybercriminals to a new level of sophistication, enabling them to target a vast number of victims efficiently. This confluence of trends underscores the dynamic nature of the cybersecurity landscape, where adversaries continuously adapt and enhance their methodologies.
In response, the cybersecurity community must remain vigilant, leveraging cutting-edge technologies and collaborative initiatives to stay ahead of evolving threats. By fostering a proactive and adaptable approach, we can collectively strengthen our defenses and mitigate the impact of these sophisticated cyber challenges on individuals, organizations, and the digital ecosystem at large.
However, becoming a target does not equate to becoming a victim. Stay informed and stay tuned.
For more insights on Cyber Threat Intelligence, you can choose to subscribe HERE.
For this post, I harnessed the power of AI to refine my text into a more polished English format.
About Author
