Photo by on Joan Gamell Unsplash Account Takeover, known also as ATO, is one of the most popular trends today in the dark web scene. It occurs when threat actors get access to a user’s credentials on a specific site, application or service for malicious purposes. Once access is gained, additional data leaks and unauthorized access can continually occur. According to Imperva, 34% of all login attempts to accounts are by malicious actors, and websites suffer ATO attacks approximately 16% of the time. Account Takeover Tools and Methods Malicious actors have a few tools and methods they use to implement their attacks. In every known hacking forum it’s possible to find sections dedicated to the sharing of leaked accounts that could be used for ATO. But before they can share these leaked accounts, they need to get access to a user’s account details. Malicious actors have a few tools and methods they use to gain this access. Two main methods malicious actors use for account takeover are: * - An example of a manual method is by accessing      stolen databases shared on different dark web hacking forums and marketplaces. Manual methods * - The more popular way to execute an ATO attack is using automated tools.  In general, the purpose of those automated tools is to gain access to the required account on the required site. To get access to those accounts, the actor is using a combination of both credentials he acquired and the automated tool that helps him to check the validity of those credentials in the targeted site. Automated methods Every month Webhose crawls hundreds of thousands of posts from areas of the dark web where it’s possible to find millions of leaked or cracked accounts from different websites. The graph below shows the number of posts we crawl each month from these sections. Number of posts crawled related to leaks or cracked accounts (Open image in new tab to enlarge) Naturally, malicious actors tend to focus on a few specific tools for their attacks. We will focus on two of the most popular tools we have found in our crawling of the dark web and messaging platforms: OpenBullet and BlackBullet. Open Bullet One of the most popular tools that has appeared in the last two years is OpenBullet,  a website testing software suite that allows users to perform requests on a target web application. This tool was initially intended as a testing tool for security professionals. Black Bullet Another popular tool is BlackBullet, originally created by a few different threat actors.  This tool uses different methods than OpenBullet, limiting the number of user requests to the attacked site to avoid detection. To use those tools successfully, it is needed to have more technical data such as proxies or configuration kits for the targeted site. OpenBullet user interface Actor selling a Forever 21 configuration kit Those configuration kits, also known as configs, are often offered by actors on various hacking forums and different . Based on our investigations in the Cyber Endpoint, we were able to discover the most active user specializing in ATO crimes. dark web marketplaces Spotlight on Dark Web Actor HOSEEN HOSEEN Actor Name: Sharing the leaked accounts and different tools and kits for ATO fraud Main Focus: English and Arabic Languages: At least since mid-2019 Time Active on Dark Web: Telegram, cracked.to and other hacking forums, Discord, Shoppy Sources of Activity: Webhose collects a lot of data related to ATO and the different tools such as OpenBullet from different hacking forums and chat applications groups and channels. As part of our crawling we have managed to detect high-profile actors related to ATO crimes on the dark web. One of the most active actors we found with a connection to ATO goes by the username HOSEEN. Our research found that HOSEEN’s main focus is the sharing of leaked accounts and different tools and kits for ATO fraud and that he is active in both English and Arabic. HOSEEN has been active in the dark web scene since the beginning of 2019. Later on he started to operate his own Telegram channels and be active on different hacking forums. He started his activity by sharing different tools and datasets that could be used for ATO. HOSEEN can be found operating on different well-known hacking forums such as cracked.to. He also operates some very popular Telegram channels and groups that have a clear connection to ATO threats. HOSEEN also has a Discord server and a Shoppy profile where he sells different illicit products that can later be used for malicious usage. The channels and groups operated by HOSEEN, each with hundreds to thousands of followers, can be categorized into different topics. For example, HOSEEN operates a channel dedicated to the sharing of configurations, proxies and datasets specifically for the OpenBullet tool. He also operates a separate channel that is dedicated to the sharing of leaked accounts. List of Telegram groups and channels operated by HOSEEN The graph below shows the number of posts Webhose crawled that were authored by HOSEEN and the activity in his Telegram groups and channels. The spike we see in April occurred after Webhose added these specific channels to the coverage. Number of posts crawled authored by HOSEEN (Open image in new tab to enlarge) Leverage Data to Mitigate Account Takeover Crimes The most common sector targeted by ATO attacks is the computing and IT sector, followed by travel and retail. Not only are the number of ATO crimes rising across all industries, but their sophistication is also increasing. Here at Webhose, ATO is just one of the many types of criminal activities we see in our . The good news is that with continuous crawling of millions of sources of sites, marketplaces, files and messaging platforms, these types of crimes can be mitigated and even prevented. dark web monitoring

The Graph

Target

What Everyone Should Know About Tools And Services Of ATO Providers

About Author

Comments

TOPICS

THIS ARTICLE WAS FEATURED IN

Related Stories

The Challenge of Fighting Crime on the Deep and Dark Web

Battling Identity Theft in Subscription Based Services: A Personal War Story

Critical Vulnerability in Swedish BankID Exposes User Data

This Subtle URL Trick Let Attackers Bypass Google’s OAuth Defenses

Rick and Morty Explain The Harm a Hacker can Cause with a Breached Password

5 Crucial HR Practices to Amplify Cyberattack Readiness for Modern Businesses

The Challenge of Fighting Crime on the Deep and Dark Web

Battling Identity Theft in Subscription Based Services: A Personal War Story

Critical Vulnerability in Swedish BankID Exposes User Data

This Subtle URL Trick Let Attackers Bypass Google’s OAuth Defenses

Rick and Morty Explain The Harm a Hacker can Cause with a Breached Password

5 Crucial HR Practices to Amplify Cyberattack Readiness for Modern Businesses

Light-Mode

Classic

Newspaper

Minty

Dark-Mode

Neon Noir

Minty

HN StartUps