When I saw a threat actor hijacking the X account of Google’s Mandiant division and promoting a cryptocurrency scam I suddenly became curious about this new prominent trend. Indeed this attack was just one of many happened during the past few weeks (HERE).

A new black market trend

Establishing a presence on a prominent social media platform, formerly recognized as Twitter (now referred to as X), is pivotal for cultivating brand identity and visibility. The influence wielded by a tweet bearing the coveted blue checkmark is widely acknowledged. Initially tied to a stringent verification process, these badges underwent a transformation following Elon Musk’s acquisition of Twitter, allowing them to be openly purchased.

Presently, the landscape has evolved, with Twitter introducing a range of paid features. Entities can not only procure the standard blue checkmark but can also elevate their status with the ‘Gold’ tag for organizations and the ‘Grey’ designation for NGOs and government bodies. This trio of distinctions (blue, gold, and grey) is accessible through a monthly subscription model.

In the shadowy realms of dark web forums and marketplaces, a specialized section closely monitors activities related to social media transactions. Recent observations reveal a surge in postings within these domains, where threat actors are actively peddling accounts boasting Twitter Gold verification. Intriguingly, parallel advertisements have surfaced on Telegram channels, indicating a widespread proliferation of nefarious schemes that hinge upon the possession of a Twitter Gold account. This burgeoning trend demands vigilant attention to preempt potential malicious campaigns.

According with CloudSEK report (HERE) the prices may varies in range depending of the sold social media, the “badge level” and the number of followers.

Various threat actors operating across both the visible and obscured layers of the internet have asserted claims related to the acquisition of Twitter Gold accounts. Noteworthy instances include:

One actor disclosed to our informant an offering of 15 dormant accounts on a weekly basis, to be subsequently upgraded to gold subscriptions by the buyer. This equates to over 720 accounts annually, each priced at USD 35, accumulating to slightly over USD 500 for 15 corporate and inactive Twitter accounts.

Additional advertisements explicitly listed the companies available for purchase. Depending on the brand and followers associated with these accounts, those adorned with a gold badge were priced between USD 1200 and USD 2000.

Facilitating these transactions is a middleman, responsible for verifying the authenticity of the accounts from sellers and ensuring the transfer of funds from the buyer.

Sellers also provide the option to boost the followers of the purchased accounts, offering an increase ranging from 30,000 to 50,000 followers for as low as USD 135.

Buyers are afforded the ability to add multiple affiliates free of charge. However, after surpassing a specified number of affiliates linked to an existing gold account for X, the purchaser is obligated to pay USD 50 per affiliate. This stipulation indicates that the sub-account is intricately associated or affiliated with the primary Gold account of X.

Used Techniques

The attacker use the following techniques in oder to provide the access to social media:

1- Advertisers, often individuals, manually generate accounts, undergo the verification process, and present them as ‘ready to use’ for their clientele. This method is particularly attractive to individuals with criminal intent seeking a pseudo-identity while avoiding direct attribution to their actions.

2- Cybercriminals employ brute force tactics on existing accounts, utilizing generic username and password combinations from readily available lists. Cybercrime forums offer an array of tools and pre-configured setups for free. Prominent tools in this category include Open Bullet, SilverBullet, and SentryMBA.

3- Malware specializing in information theft operates within a centralized botnet network. This malware extracts credentials from compromised devices, and the harvested data is subsequently validated based on the buyers’ specifications. These criteria may include the nature of the account (individual or corporate), the number of followers, region-specific accounts, and more.

Sentry MBA

Now let’s take a closer look to Sentry MBA one of the most used tool to (brute) force Accounts.

Sentry MBA stands out as an automated tool wielded by cyber adversaries to seize control of user accounts across major websites. Its utilization allows criminals to efficiently assess the validity of millions of usernames and passwords on a specific target platform. This tool has gained notable traction, evidenced by the Shape Security research team encountering Sentry MBA attack attempts on nearly every website under their protection.

Unlike historical practices where cybercriminals needed a mastery of intricate web technologies for online attacks, Sentry MBA streamlines the process with its point-and-click graphical user interface. This accessibility, coupled with online support forums and thriving underground marketplaces, has democratized cybercrime, enabling a broader spectrum of individuals to partake without requiring advanced technical skills, specialized equipment, or insider knowledge.

Sentry MBA incorporates sophisticated features that circumvent common web application defenses. For instance, it can overcome preventative controls, such as IP blacklists or rate limiting, by leveraging proxies to distribute the attack across numerous IP addresses. Additionally, it can evade detective controls, like referrer checks, by manipulating the “referer” header value. Central to Sentry MBA attacks are “combo” lists, which comprise usernames and passwords.

The tool exploits the widespread practice of password reuse among internet users. If the combo list contains credentials previously valid on other platforms due to breaches or phishing techniques, the attack is termed “credential stuffing.” This approach persists as a prevalent threat, as highlighted by Verizon’s 2015 data breach report, which identifies stolen credentials as the most common attack action against web applications.

Credential stuffing attacks pose a formidable challenge to mitigation efforts, primarily because they target online user interface elements, such as login pages, inherently open to all internet traffic. In a notable case, cybercriminals utilizing Sentry MBA targeted the stored-value card program of a major retail corporation, with automation accounting for over 91% of the traffic on the company’s login page. Despite the implementation of established best practices for online security, the corporation incurred online fraud losses exceeding $25 million annually.

Anatomy of a Sentry MBA Attack

1. Targeting and Attack Refinement

The initiation of a Sentry MBA attack involves configuring the tool to understand the intricacies of the target’s login page. A dedicated “config” file encompasses essential elements such as the login page URL, field markers for form navigation, and rules for valid password constructions. Working configurations for various websites are readily available on forums dedicated to such activities. Once armed with a basic working configuration, attackers leverage Sentry MBA tools to optimize and test the attack setup against the live target website. This includes configuring the tool to recognize keywords associated with the website’s responses to login attempts, defeating CAPTCHA challenges through optical character recognition or a database of possible CAPTCHA images and answers.

2. Automated Account Checking

Optimized site configurations pave the way for automated account checking. Attackers only need to introduce their “combo” file (comprising usernames and passwords) and a “proxy” file to Sentry MBA to initiate the assault. Combo files can be acquired from various sources on the Darknet and open web, offering lists of stolen usernames and passwords. Proxy files, which consist of computers used by Sentry MBA to mask the attack’s origin, are also readily available. Proxies play a pivotal role in undermining common application defense strategies such as IP reputation filtering and rate limiting. Compromised computers used as proxies constantly change, rendering IP blacklists ineffective. Proxies also thwart rate limiting defenses by making login attempts appear to originate from a multitude of different computers.

3. Monetization

Upon obtaining working credentials, cybercriminals seek ways to monetize their success. One prevalent strategy involves transferring stored-value gift card balances from compromised accounts to cards controlled by the cybercriminal. Platforms like giift.com, giftcardzen.com, and cardpool.com facilitate the conversion of fraudulent cards into cash or merchandise, providing an avenue for illicit financial gain.

In essence, Sentry MBA orchestrates a well-coordinated attack by refining configurations, automating account checking with combo files and proxies, and ultimately enabling cybercriminals to profit from the compromised credentials. This nuanced process underscores the sophisticated nature of credential stuffing attacks and emphasizes the need for robust security measures to counteract these threats.

Conclusion

In conclusion, the ever-evolving landscape of cyber threats necessitates an ongoing commitment to understanding and countering the strategies employed by attackers. The present era witnesses the emergence of a concerning trend: the proliferation of a new dark market phenomenon. This phenomenon strategically capitalizes on the introduction of payment badges a year ago, serving as a deceptive lure for unsuspecting users. The subtlety of these tactics underscores the need for heightened awareness and proactive cybersecurity measures.

Simultaneously, the realm of cybercrime is witnessing a significant surge in the adoption of automation tools and techniques. This development catapults cybercriminals to a new echelon of sophistication, enabling them to efficiently target a massive number of victims. The intersection of these trends underscores the dynamic nature of the cybersecurity landscape, where adversaries continually adapt and refine their methods.

In response, the cybersecurity community must remain vigilant, leveraging advanced technologies and collaborative efforts to stay ahead of evolving threats. By fostering a proactive and adaptive approach, we can collectively fortify our defenses and mitigate the impact of these sophisticated cyber challenges on individuals, organizations, and the digital ecosystem at large.

But being a target does not means be a victim, stay tuned and stay informed.
If you want to know more about Cyber Threat Intelligence, you may decide to subscribe HERE.

For this post I did used the power of AI adapt my text in a better English format.