Published on

The Blackhat Market of Account Cracking

Introduction to Cracking

Cracking is a method for fraudsters to gain access to accounts on a given website – typically using old, leaked login credentials associated with a user. Fraudsters crack simple things like pizza accounts, such as Dominos, all the way to cryptocurrency exchange logins, which are implicated in the more severe market of SIM swapping. It is more formally known as 'credential stuffing' – attempting stolen username and password pairs in mass on an individual website or an array of websites.

However, the process is far more complex than obtaining previously breached logins and trying to log in with the credentials on a victim service. The levels of the operation include:

  • Combolist
  • Proxies
  • Configuration
  • Sales
  • Consumer Usage

Combolist

A combolist is a database of usernames or emails paired with the user’s passwords. Combolist come from leaked databases – which appear to be an unavoidable security tragedy. Databases are leaked in many ways, such as performing an attack known as an ‘SQL injection' on a victim site. An SQL injection gives a fraudster the website’s entire current user database, including user’s emails, passwords, and other related account notes such as sometimes date of birth. Database sales can be found on nearly any darknet marketplace, one particularly active marketplace I came across is RaidForums (update: Raidforums has now been shut down and replaced with Breached.co).

Raidforums.net Leaked Databases - Free section

After a database is obtained – in many cases the database must be decrypted. Nearly every large company’s database is encrypted, meaning once the database is leaked it cannot be instantly used by hackers as a combolist. Databases have to be decrypted using software like Hashcat – which cracks encrypted hashes, outputting what the text said before it was encrypted, which is commonly referred to as ‘plaintext’. Some databases are sold pre-decrypted while some are sold and leave it to the buyer to decrypt the credentials in the database. It is nearly impossible to crack every 'hash' in a database – however in many cases more than at least half of a database can be decrypted. The decrypting of passwords itself is known as 'hash cracking', not to be confused with 'account cracking'.

Hash cracking cannot reveal every password to a database – as some users wisely make their password too complex to be decrypted easily. Hash cracking via dictionary attack typically goes as follows: 1. The fraudster is tasked with finding a ‘common’ password list, such as the rockyou.txt password list. This is a list of the most common passwords in plaintext, typically in the hundreds of thousands. This is not exclusively the only list used – however it is widely common and is the default for many cracking softwares. 2. The lines of passwords in the common, plaintext password list mentioned in step one is then encrypted. The list is encrypted in whichever language the site’s database that is being cracked is in. For instance, if the website’s database used MD5 encryption, the entire list from step one would be encrypted to MD5. 3. The fraudster then launches a mass brute force attack, using the encrypted passwords from step two to compare with the database. If any of the newly generated MD5 hashes matches the leaked database's MD5 hashes, this means that the plaintext for the newly generated list is the password for that particular hash in the original database. To simplify, tools like Hashcat just test a variety of predicted passwords against the website and do so at massive amounts of request per second at ranges above millions of hashes per second. 4. Once all the possible hashes find their corresponding password, the non-decrypted passwords are removed. Some passwords are not predictable and weren’t in the original password list such as rockyou.txt, thereby their hash was never matched.

In these leaked databases, the format is typically email:password, separated by a colon to make the email and password distinguishable by the software used to crack the logins. Not all databases involve a password, sometimes mailing list get leaked. These mailing lists are valuable amongst fraudsters because someone on a mailing list for a cryptocurrency site is likely to have cryptocurrency, making them a good target for fraudsters. Additionally, there are services that will search emails across hundreds of terabytes of leaked databases and find every piece of information related to that email through leaked databases. This is done through services like Intelx and Dehashed. Thereby, these emails could have previously leaked login credentials online in the aforementioned database search tools.

Combolist can be put to sale or 'leaked' onto forums to embarrass the company and make the leaker more credible amongst his peers on the forums. Combolist that are leaked although quickly become 'saturated', meaning that because many people have access to the combolist, many people are attempting attacks with the credentials in the combolist. Typically, fraud victims tend to change all of their online information after being compromised, so saturated combolist aren’t as valuable as private ones. Individual databases are also sold for massive amounts of money, which is determined by factors like region of the site, size of database, what hash was used to encrypt it, how old the site is, and what the site's purpose is. A cryptocurrency database is very valuable because it provides more value to hackers, as a common goal for hackers is to extract hard-to-trace cryptocurrency out of a victim's account.

There are also database providers who sell access to many databases and post fresh database as a monthly subscription service. Examples of this are on nearly any cybercrime forum, popular English and Russian cybercrime forums. Below is an example service, a German service Knact, that provides combolist as a subscription service and even has an API for its users.

Knact.nu's Dashboard

Proxies

After a fraudster has managed to obtain a combolist, whether they bought a private database, found a leaked one, or is utilizing a database subscription service, they then need proxies to attempt a credential stuffing attack. There are two types of proxies in the domain of cracking, datacenter and residential. Datacenter proxies are considered 'lower quality', as they are detected as non-residential IP addresses, meaning a datacenter IP indicates the request is automated on the victim site’s backend. However, datacenter proxies are cheaper than residential proxies and often faster. But the speed and cost are irrelevant if the victim site blacklists requests from datacenter IPs. Residential proxies are harder to detect and thereby are easier to disguise as real request, although they tend to be more expensive and slower. Depending on the victim site being targeted, a fraudster may choose a different proxy.

There are two popular protocols for proxies when cracking, HTTP/S and SOCKS. HTTP/S is much more popular out of the two for cracking. Most crackers elect to use residential HTTP/S proxies as they are quickly and designed for quick, request based activity. Ironically, frequently HTTP/S proxies are obtained illegitimately as well interestingly enough. On nearly all forums where databases and combolist are sold, there are proxy services that sell HTTP residential proxies that are ideal for cracking. Not only are the proxies residential, but frequently the proxies ‘rotate’ IPs, meaning a large range of unique IPs are being used to send request – helping obfuscate the automated nature of attacker’s request. This means that more login attempts are successful on the victim site as proxy IPs do not get blacklisted as quickly. To clarify, a website automatically blacklist IPs that are trying to access the service too quickly or too many times, however when rotation is introduced, attempts appear to be slower and less malicious, resulting in the website not being as suspicious of the IPs.

I conducted an interview with the administration of MazeProxies, where we discussed typical use case of proxies and how the proxies are obtained.

Proxy services such as Mazeproxies are said to be used for innocent things such as ‘sneaker bots’ to full-scale ransomware operations that use the proxies as a privacy mechanism to prevent detection. MazeProxy proves that there is massive use for proxies, having about ~1.2k active users and over ~6k registered users according to the owner(s). Competition is fierce within this scene as forums like Cracked.to have hundreds of proxy providers, resulting in competition initiating DDoS attacks against one another. MazeProxy has become so concerned about DDoS attacks that they pay around 1,000 USD a month in DDoS protection, which has seemed to work for them.

These proxies are not only sold by criminals but are often obtained in sketchy ways that is worth a whole another article itself. While I am unable to speak for the entire residential proxy sales scene for larger, more established companies like OxyLabs, my research has found that many residential proxies are obtained in blackhat manners. Tactics are deployed by residential proxy providers to obtain bandwidth and IP addresses via making malware disguised as legitimate software and providing it for free. An example is HolaVPN, which was a free VPN software but consumers with a secret catch. Consumers would be put into a botnet where their IP would be sold as a residential proxy according to a 2015 The Verge article.

An additional notable method that blackhat proxy companies obtain residential proxies through is scanning large IP ranges for vulnerable IoT (internet of thing) devices, such as Amazon Alexa, and using the vulnerability to leverage that network to become a residential proxy that will be sold. Many people don't realize they're compromised as few people monitor their bandwidth and have no clue how to monitor the possibility of a network compromise, therefore this remains an effective method for many proxy providers to get an endless supply of residential IPs. Many proxy providers are also just resellers of those who do these blackhat activities, selling proxy packages of unknown proxy providers at a premium.

Once a hacker has obtained a combolist and rotating residential proxies, more technical "know-how" becomes required.

Captchas & Anti-Bot Services

Frequently to prevent automated request, websites implement captchas. A typical captcha websites use is Google ReCaptcha, FunCaptcha, and hCaptcha. Crackers sometimes don't have to account for captchas if the proxy's "fraud score" is good enough - but most websites have captchas regardless of IP fraud score. This is why there is a large market for captcha solvers, but these aren't normally as "criminally ran" as proxy providers. An example captcha bypass solution is 2Captcha, which manually pays people very low rates to solve captchas. Captchas are good for companies to prevent cracking regardless because a manual person has to type out the captcha regardless, slowing down the potential "CPM", checks per minute. Also, it requires more technical expertise as many people in the cracking scene don't understand how to implement an API like 2Captcha's. Many cracking "suites", or softwares used to crack, have solved the problem of people not knowing how to implement APIs by implementing the API for the cracker and just asking for their API key.

Additionally, new technology coming into the captcha-solving scene which serves as a great benefit to those who are cracking. There are now automated captcha solvers using captcha recognition, meaning the delay of waiting for another person to solve the captcha is gone. Services like Capmonster can solve captchas quicker and cheaper, as they don't have to pay someone else to solve your captcha. This comes to no surprise that there are now bots solving the anti-bot tasks like captchas due to how long a software called XEvil has been around. XEvil is a software used for captcha recognition and solving, you can directly download it and run it opposed to paying Capmonster per 1,000 proxies. XEvil is a Russian company and has been around as early as 2017 solving captchas using recognition. The company that runs XEvil, Botmaster Labs, has other softwares like XRumer that have been around longer as well. XRumer is a SEO tool that has been around for about 7 years, increasing SEO rank by spamming forum post with the consumer's desired content. The service is about to release it's V6 suite for XEvil soon for about 100USD, which I'm sure account crackers are excited for. XEvil is a good solution because you pay for the software, an upfront 100 USD, opposed to paying a captcha solving service like 2Captcha or Capmonster over and over, it's just a market decision of a higher upfront flat fee vs. a subscription model essentially.

Xleet's Telegram Channel Discussing the V6 software this month.

Many websites understand that captchas aren't enough and implement anti-bot solutions like Imperva and Akamai, which hackers have developed workarounds to. Bot solutions like Akamai use browser fingerprinting, user agent strings, and other undisclosed solutions to attempt to detect when someone is credential stuffing and then stops their request once the attempts at detected to be bot-like. Many developers in the cracking community have become sophisticated enough to bypass these bot solutions by generating fake cookies or data to make Akamai believe that the request isn't "bot-like". Universal Akamai bypass are even sold, but at an expensive price. Not all websites will have anti-bot solutions, especially lower end sites that aren't willing to pay for an anti-bot solution such as Akamai.

An especially dangerous use case of captchas in cracking is when the captchas are fully bypassed due to security flaws. Captcha provider Funcaptcha in the past has had bypasses made and it resulted in hackers being able to manage massive CPMs when credential stuffing, meaning that while the bypass works the hackers can try a lot more login attempts than they could if the hacker had to use Xleet or a captcha solving service.

VPS / RDP

A virtual private server, or VPS, is an essential tool for crackers, or just any cybercriminal in general. For all intents and purposes, RDPs and VPSes are interchangeable in this article, as long as the remote server provider provides administrator access to the server. A VPS is essential to crackers for multiple reasons: anonymity, security, and speed.

VPS act as an anonymizing tool to those who crack. A VPS server serves as a separate machine than the hacker's home machine and can be connected to using a proxy at all times. Few hackers maintain a VPN connection at all times on their home machine, meaning every time they turn it off they risk mixing their online life with their fraudulent life. A VPS solves this risk, as its a separate server with a different IP that is only accessed routed through a VPN, proxy, or TOR. Remote desktop clients like Parallels Client allow for very secure, anonymous connections to VPS routed through proxies. The hackers enjoy having separation from their home computer and their cracking tools for anonymity, but also more so for security.

Security is a risk because crackers don't know what cracking suites are legitimate and which ones aren't. Crackers find themselves downloading software from forums often, such as XEvil, and don't know which files may be a virus. After all, everyone themself is a cybercriminal thereby they understand the inherent risk of dealing with other thieves. Hackers can safely download any program on their VPS and not worry about their home computer's security not being at risk, at worse their VPS is compromised.

Speed is essential for cracking and VPSes can provide faster speed than home computers. A high-level VPS can offer much quicker speeds obtainable compared to a home computer as many good VPSes come equipped with Intel Xeon processors, processors meant for heavy server work. Hackers also mitigate the initial cost of buying equipment by just renting the server monthly.

VPS services, similar to proxy services, are also frequently provided by fellow criminals. From my current understanding, there are two ways that VPS sellers operate. The first common case for VPS sellers is that they operate as resellers for larger companies that wouldn't sell to fraudsters or fraudsters didn't find independently. The second common finding is that fellow hackers sell 'cracked VPSes', essentially compromised VPS servers found through vulnerability scanning large IP ranges, for a discounted price of what it would be worth. This is because while these VPS providers do create 'Ghost' accounts on the operating system, the owner of the VPS may still notice and remove the hacker at an unpredictable time. This creates risk for the buyer, a risk many buyers are willing to take. Many of these fraudulent VPS providers advertise solely based on the fact that they allow blackhat operations on their VPS. For instance, VPS.fo, from the owners of cracked account shop Ping.fo, advertise on their forum thread about how they allow cracking.

Cracked.to VPS.fo advertisement

While VPS.fo themselves doesn't appear to crack their VPSes, services like odin.to do, and those are attractive due to how cheap they are. It is somewhat ironic how the cycle works for sites like Odin, they sell cracked VPSes to people who will then go crack accounts, it's like a cycle of cracking.

Configs

A config, or more formally, a 'configuration' is a file that is used to actually crack the desired accounts. For instance, if you wanted to crack Domino's Pizza accounts, you would need a 'dominos.com config'. Configs are made to work on certain cracking suites, there are a few popular suites. Early into cracking, SentryMBA was a popular cracking software. SentryMBA was then deprecated of over time due to the rising number of convenient competitors, namely OpenBullet. I believe this is because it is hard to find a legitimate download link for SentryMBA, many people on forums post SentryMBA but infect it with a backdoor, making it hard to trust nearly any source of SentryMBA as it is not centrally distributed from anyone. But OpenBullet is, it's on GitHub and has an official seller, which results in much less fear of being backdoored as it's not a random person on a forum, it's almost like an established business in the community.

OpenBullet configurations have vast capabilities. Configurations are sold and leaked amongst cybercriminals on forums, just like VPSes, proxies, and combolist. They typically come in file formats such as .loli and .cto, which are fairly simple to wrote for low end websites. OpenBullet itself accepts the configuration file and imports the settings of the configuration into the cracking suite, all the user must do after that is import their combolist, proxies, and their captcha solving service API key if needed. OpenBullet, after all of this, will show you the attempts made on the accounts in live time and output the results. OpenBullet can also be used to make configurations for cracking using somewhat of a 'template builder' on their software. Below is an example of what an OpenBullet config looks like.

All the various settings in a .loli config file, specifically one for Afterpay
The actual code that runs for the config.

There are different types of configs. There are configs meant for just checking if an email and password pair are valid for a site, but also notably there are configs for 'valid mail', refer to as 'VM'. The purpose of a 'VM' checker is if someone has a list of emails that they have cracked, meaning they have email access, they can check websites to see if the emails they have access to have accounts on the site they are looking at. If an email is valid, meaning it's registered on the site that is being checked, then a password reset request can be sent to the email and reset to the choice of the hacker. The typical means hackers use to check if a mail is valid is whether the site will allow you to sign up with the email or not, if the site doesn't let you sign up with the email that typically means the email is already on use on that site. For the Afterpay VM config above, the config uses an endpoint on an Afterpay Mobile API that wasn't meant to be public to consumers, but it is. Eventually AfterPay will notice and remove that feature in the API.

Configs, if not obtained from the free section of forums like Cracked.io or Nulled.to, are typically bought. There are two ways that hackers buy configs, this is through private developers and 'config clouds'. Private developers for a set price will program the config you need, bypassing any necessary anti-bot software, for a fee. This fee on a simple site could be as low as 20 USD, but if the site is advanced and uses high-level anti-bot software could go up to as much as 200 USD. There are additionally 'config clouds', or collections of configs that are sold as a bundle. The combo cloud is updated based on consumers request of the cloud, and it's typically a monthly subscription. If you stay subscribed, you can request and get new configs. Typically, config cloud services don't charge for config request as long as you pay for their service.

The most powerful config, in my opinion right now is the Yahoo Inbox searcher. The Yahoo Inbox searcher essentially bypasses Yahoo's security, logs into Yahoo accounts, and searches terms in the inbox of the compromised account automatically and notes if the email has results for that search term. This comes to be useful for sites that don't have valid mail configs, because if the company is emailing the victim's account that likely means the victim is signed up to their services. Additionally, the power of this is that you can check for IDs and other private information quickly. It is valuable for a hacker if they get into an email where the owner's ID is present, as IDs can be sold for money on darknet forums. One of the main uses for 'inbox searchers' right now is by a service named 'Cashbase', which searches accounts for Coinbase transactions. Cashbase essentially is an inbox searcher for Yahoo/Aol emails that finds all the transaction history for Coinbase in the email, as Coinbase emails receipts for each transaction, and tries to esimate the sum of the balance of the Coinbase wallet. Once this has been investigated, a SIM swap or other account take over techniques can be used on the victim.

The Sale of Cracked Accounts

This is the end of the supply chain. Once a config is obtained and the config is running, valid accounts will be outputted. Most people who crack accounts do so with intent to sell the accounts to consumers on underground forums. The sales are typically facilitated through 'all-in-one' payment service providers, frequently (Atshop.io)[https://atshop.io] and (Sellix)[https://sellix.io]. These are particularly good sites for people selling cracked accounts, as they are not banned from the platforms and accept cryptocurrency and CashApp. These are preferred by criminal criminals as they are hard to trace, cryptocurrency is difficult to trace and isn't as regulated as a payment processor like Stripe. CashApp accounts are easy to open under fraudulent information and allow easy access to Bitcoin with in-app features.

Cracked accounts are available on pretty much any even greyhat forums. Nearly any thinkable account is crackable, even fellow cybercrime websites are cracked by hackers, as shown in this Krebs Article.

There are mainly two types of cracked account sales, full access (FA), and not full access (NFA). FA indicates that the email password is known, while NFA indicates the email password is not known. This is important to the functionality to many websites that require email verification to verify a login or to do certain actions on the site. For instance, Coinbase.com sends a link to the email when a user logs in from a new device, to verify the login attempt is legitimate and being done by the account owner. FA emails also allow for password resets to other services that may be connected to the email and the aforementioned 'email inbox search' attack. FA accounts tend to sell for more than NFA accounts.

While FA accounts are idealistic, they're not necessary for all use case. For instance, Buffalo Wild Wings accounts are frequently sold on account shops, you can place an order without email access (which is the purpose of the log). This brings me into the discussion of the scope of things that are hacked and what I've observed commonly sold amongst the thousands of account shops I've investigated.

  • Adult film accounts
  • Food accounts (Chipotle, PizzaHut, Buffalo Wild Wings, DoorDash)
  • Productivity accounts (Cheggs, Udemy, Scribd, Office365, Adobe, Duolingo)
  • Cashout accounts (SquareUp, FloatMe, ShopPay, AfterPay)
  • VPNs (NordVPN, ExpressVPN, Windscribe)
  • Entertainment (Spotify, Tidal, NBA League Pass, UFC Fight Pass)
  • Fraudulent accounts (genesis.market, uni.cc, krebsclub)

There are thousands of websites that will sell you cracked accounts, and most logins can be used for different purposes. The logins, commonly referred to as 'logs', range from more innocent accounts like 'PizzaHut' accounts, typically with rewards points or a credit card linked so the person who buys the log doesn't have to pay for food, to more devious scandals. For instance, people buy Coinbase.com and Crypto.com (CDC) logs to scheme SIM Swap attacks against victims, using the e-mail to find accounts with money. The hackers cannot steal the victim's money due to Coinbase's security without phone number access.

People even sell services using these logs, such as '50% off Doordash' services. People will locally offer services like 50% off online food delivery services, using cracked accounts to pay for the food. Other common uses tend to be VPN accounts being cracked, creating another layer of anonymity to a hacker. A hacked NordVPN is more anonymous as the payment information of the account isn't linked to the buyer of the log, only the actual owner of the account.

There is nearly unlimited use for these logs and people expand uses constantly. I plan to soon cover the scheme behind the Coinbase.com account take overs executed via logs and the related market in further depth.

One-time Passcode Bot & Email Bomb

Some websites cannot stop the cracking of accounts due to how dedicated people are to making configs, but they can make the compromised accounts useless. Some websites require the owner of the account to enter a 'one-time passcode' that is sent to the owner's linked mobile phone to prevent those cracking from accessing the account. This is a necessary inconvenience for account owners on any website due to the current severity of cracking.

This one-time passcode sent to the actual owner's phone number cannot be cracked or guessed, but it can be phished. Hackers have used Twilio's API to set up bots to call the account owner's number and collect the one-time passcode a hacker may send to the phone. The phone bot typically calls the victim and tells them that there was a security issue and they must type the one-time passcode into the dial pad to prevent being compromised. Meanwhile, the hacker on the other end enters the one-time pass code live and now successfully circumvented the security. The hackers better enhance how realistic the one-time passcode bot call is by spoofing the phone number to the actual company's number. To better explain, if you wanted a Yahoo one-time passcode, the phone would call from Yahoo's official number.

These bots are sold as a service but are also open-source on Github for users to set up themselves. Many do not know how or can't be bothered to, thereby the 'OTP bot' services remain prominent. An example of the source code to these OTP bots is found here.

Another tool used by hackers once they have access to logs is 'email bombing', mainly used on NFA emails. Let's say a person bought a cracked Apple account and didn't have email access, then they placed an order for themself. Apple will email a receipt of the transaction to the email on file, alerting the owner to the purchase. The owner may see the email and cancel it, but the email bomb can counteract this. An email bomb sends thousands of mails to an inbox, making it where the account owner is very unlikely to see the receipt in the inbox, they are too alarmed with the thousands to tens of thousands of emails they may have just received. This is also sold as a service and also an open-source program that has been around for a long time.

Conclusion

It is a clear cat-and-mouse game at the moment in the cracking scene. Websites implement anti-bot solutions, they get bypassed. Websites implement one-time passcodes, they get phished. Websites seemingly are doing everything in their capability to stop these attacks but as of now the people cracking accounts and using cracked accounts are winning the battle.

The best thing I believe that websites can do is require a multi-factor authentication code for login, for any website that stores information about users, that uses letters and numbers. OTP phishing bots cannot phish a number if letters are in the code, as mobile dial pads don't support sending letters.

My best advice to consumers is use diverse passwords for each site, even resorting to a password manager if needed.