Account Takeover, known also as ATO, is one of the most popular trends today in the dark web scene. It occurs when threat actors get access to a user’s credentials on a specific site, application or service for malicious purposes. Once access is gained, additional data leaks and unauthorized access can continually occur. According to Imperva, 34% of all login attempts to accounts are by malicious actors, and websites suffer ATO attacks approximately 16% of the time.
Malicious actors have a few tools and methods they use to implement their attacks. In every known hacking forum it’s possible to find sections dedicated to the sharing of leaked accounts that could be used for ATO. But before they can share these leaked accounts, they need to get access to a user’s account details. Malicious actors have a few tools and methods they use to gain this access.
Two main methods malicious actors use for account takeover are:
* Manual methods - An example of a manual method is by accessing stolen databases shared on different dark web hacking forums and marketplaces.
* Automated methods - The more popular way to execute an ATO attack is using automated tools. In general, the purpose of those automated tools is to gain access to the required account on the required site. To get access to those accounts, the actor is using a combination of both credentials he acquired and the automated tool that helps him to check the validity of those credentials in the targeted site.
Every month Webhose crawls hundreds of thousands of posts from areas of the dark web where it’s possible to find millions of leaked or cracked accounts from different websites. The graph below shows the number of posts we crawl each month from these sections.
Number of posts crawled related to leaks or cracked accounts (Open image in new tab to enlarge)
Naturally, malicious actors tend to focus on a few specific tools for their attacks. We will focus on two of the most popular tools we have found in our crawling of the dark web and messaging platforms: OpenBullet and BlackBullet.
One of the most popular tools that has appeared in the last two years is OpenBullet, a website testing software suite that allows users to perform requests on a target web application. This tool was initially intended as a testing tool for security professionals.
Another popular tool is BlackBullet, originally created by a few different threat actors. This tool uses different methods than OpenBullet, limiting the number of user requests to the attacked site to avoid detection.
To use those tools successfully, it is needed to have more technical data such as proxies or configuration kits for the targeted site.
OpenBullet user interface
Actor selling a Forever 21 configuration kit
Those configuration kits, also known as configs, are often offered by actors on various hacking forums and different dark web marketplaces. Based on our investigations in the Cyber Endpoint, we were able to discover the most active user specializing in ATO crimes.
Actor Name: HOSEEN
Main Focus: Sharing the leaked accounts and different tools and kits for ATO fraud
Languages: English and Arabic
Time Active on Dark Web: At least since mid-2019
Sources of Activity: Telegram, cracked.to and other hacking forums, Discord, Shoppy
Webhose collects a lot of data related to ATO and the different tools such as OpenBullet from different hacking forums and chat applications groups and channels. As part of our crawling we have managed to detect high-profile actors related to ATO crimes on the dark web.
One of the most active actors we found with a connection to ATO goes by the username HOSEEN. Our research found that HOSEEN’s main focus is the sharing of leaked accounts and different tools and kits for ATO fraud and that he is active in both English and Arabic.
HOSEEN has been active in the dark web scene since the beginning of 2019. Later on he started to operate his own Telegram channels and be active on different hacking forums. He started his activity by sharing different tools and datasets that could be used for ATO.
HOSEEN can be found operating on different well-known hacking forums such as cracked.to. He also operates some very popular Telegram channels and groups that have a clear connection to ATO threats. HOSEEN also has a Discord server and a Shoppy profile where he sells different illicit products that can later be used for malicious usage. The channels and groups operated by HOSEEN, each with hundreds to thousands of followers, can be categorized into different topics. For example, HOSEEN operates a channel dedicated to the sharing of configurations, proxies and datasets specifically for the OpenBullet tool. He also operates a separate channel that is dedicated to the sharing of leaked accounts.
List of Telegram groups and channels operated by HOSEEN
The graph below shows the number of posts Webhose crawled that were authored by HOSEEN and the activity in his Telegram groups and channels. The spike we see in April occurred after Webhose added these specific channels to the coverage.
Number of posts crawled authored by HOSEEN (Open image in new tab to enlarge)
The most common sector targeted by ATO attacks is the computing and IT sector, followed by travel and retail. Not only are the number of ATO crimes rising across all industries, but their sophistication is also increasing. Here at Webhose, ATO is just one of the many types of criminal activities we see in our dark web monitoring. The good news is that with continuous crawling of millions of sources of sites, marketplaces, files and messaging platforms, these types of crimes can be mitigated and even prevented.