How OpenBullet is Used and Abused by Cybercriminals

What is OpenBullet?

OpenBullet is a testing suite of software allowing users to perform requests on a target web application. The open source tool can be found on GitHub and is used by businesses for various legitimate purposes including scraping and parsing data and automated penetration testing.

Although designed to aid security professionals, in the wrong hands OpenBullet can be abused for the opposite purpose. Since mid-2019, OpenBullet has been gaining popularity with cybercriminals when it took over from Sentry MBA as the most popular tool for credential stuffing and fake account creation.

How to use OpenBullet as a developer

OpenBullet was originally released in April 2019 on GitHub as a penetration testing tool intended for security researchers.

OpenBullet allows a user to import prebuilt configuration files, or “configs”, for each website to be tested. These OpenBullet configs can be modified as needed, a mandatory feature since websites tend to make slight adjustments to user experience to counter credential stuffing attempts.

The tool has its own dedicated forum offering the latest version of OpenBullet but cautioning against using it for credential cracking. However, cracking tutorials on YouTube, cracking communities, and hacking forums instruct users how to use OpenBullet configs for malicious purposes like account takeover.

The decline of Sentry MBA and the rise of OpenBullet

For a while, Sentry MBA was the most popular and widely used credential stuffing tool, and the most recognizable in credential stuffing attacks and subsequent account fraud. Like most tools of its type, it has a user interface that allows the uploading of base credential lists and proxies, and a screen where results are logged.

Other similar tools developed by adversaries to execute credential stuffing and account fraud include:

• Vertex
• SNIPR
• Private Keeper
• Account Hitman
• BlackBullet

In cracking communities, users have commented that OpenBullet surpasses Sentry MBA and others listed above as their config files are outdated, with few making config files for those tools anymore. While configs for Sentry MBA and other tools can still be found within such communities, there has been an uptick in OpenBullet configs for sale on cracking forums. These include configs for popular websites and services such as a Netflix and Microsoft Azure

How OpenBullet is abused by cybercriminals for credential stuffing

While OpenBullet seems on the surface to be a useful tool for developers, how do cybercriminals use OpenBullet to execute account fraud?

Adversaries are becoming far more advanced with the tools they use to execute account fraud. We have moved to a world where credentials are readily available online, even on public-facing forums and social media, making credential stuffing ever easier, cheaper and profitable for attackers. The shift to mass remote working has exacerbated this activity, as more personal information and sensitive documents are stored in the cloud.

What is credential stuffing?

A credential stuffing attack is a type of cyber-attack where hackers use stolen or leaked username and password pairs to gain access to user accounts. The term “credential stuffing” is used because the attackers are literally stuffing (i.e., submitting) the stolen credentials into login pages and other registration forms on multiple sites to gain access to accounts.

Cybercriminals started using OpenBullet as a standalone credential stuffing tool in 2019. The tool is now regularly used for various account takeover purposes across various targeted industries. Like many other credential stuffing tools, OpenBullet requires certain inputs to operate and test a targeted web or mobile application, such as a configuration file, wordlist and target URL. And, like other tools, its success relies upon the prevalence of password reuse.

Why is OpenBullet appealing to cybercriminals?

According to Digital Shadows, OpenBullet was mentioned 35% more than other credential stuffing tools including Sentry MBA across online criminal locations between January and June 2020. Its popularity is largely down to its ability to customize existing configs and its open source status, which means it is:

• Free to download and use
• Regularly updated with new features
• Sparing in its CPU usage
• Simple to use for those new to the tool
• Supported by an active, dedicated community

OpenBullet in action

We now know in theory how OpenBullet is used by adversaries with malicious intent, but how does this work in practice?

Luckily for hackers, OpenBullet is user-friendly yet highly advanced tool. Adversaries input the URL they wish to hack, load in the relevant config and add a list of credentials taken from the dark web.

There are dozens of advanced controls such as setting appropriate cookies needed to pass through the login page or changing proxying settings, and you can even set a designated time stamp so you can go away and let the request run itself.

Once “Start” is pressed, OpenBullet fires thousands of username and password combinations to the desired website, reporting in seconds whether the requests were successful or not. The credentials that provided a successful match are then used manually to crack into accounts to commit online fraud.