Using commercially available attack tools like OpenBullet, Snipr MBA and BlackBullet has dramatically simplified the act of committing fraud through account takeovers, fake account creation or other automated attack. With thousands of configs available on the web, bad actors can find a pre-defined attacks for the retail, financial services, streaming media or other web application they want to target. If a predefined attack config for your company is discovered, how should you react? In this session, Will Glazier, head of security research at Cequence Security will provide tips and techniques to help you uncover the existence of an attack config, then demonstrate how it is used in OpenBullet, providing pointers on how to use OpenBullet to your mitigation advantage. A demonstration of Cequence Bot Defense will wrap up the session. Discussion topics for the talk will include: Researching Attack Configurations - Forums - Attack tools - Using the power of Google Turning the Tables: OpenBullet Deep Dive - How it works - Use it to your advantage: stop the attacks Using OpenBullet Findings to Prevent Attacks - Brief demo of Cequence Bot Defense

1. There’s an OpenBullet
Attack Configuration for
Your Site – What Now?
Will Glazier
Head of Threat Research
Cequence Security

2. • What is OpenBullet
• How is OpenBullet used
• Demo
• Being Proactive
• Q&A
Agenda

3. • Venture-backed start-up bringing much-needed innovation to
application security
• Award-winning AI-powered security platform that automatically
protects web, mobile, API-based applications from bot attacks and
vulnerability exploits
• Proven leadership team from Palo Alto Networks and Symantec
• Visit us at www.cequence.ai
About Cequence Security

4. • What is OpenBullet?
• Sophisticated, all-in-one attack
toolkit - can be used for ATO,
credential stuffing, other attacks
• Open-source version of the older
“BlackBullet” tool created in 2018
• Up-to-date and well-maintained
GitHub repository and forum
• Billed as a “webtesting” platform…
OpenBullet 101
https://github.com/openbullet/openbullet

5. • “Config” files
• Instructions for the tool to carry
out the automated attack
• Highly Configurable and
Customizable
• Availability of “Plugins” and
“Mods” like the new “Anomaly”
version
• reCaptcha bypass
• Support for different Captcha
solvers as well as OCR
• Use of Selenium Drivers
• JavaScript Execution
• Human Browser Actions
OpenBullet Capabilities

6. OpenBullet Demonstration

7. OpenBullet Execution
How it’s used: Single app to manage the 4 pillars of an ATO attack
TOOLS INFRASTRUCTURE
CREDENTIALS BEHAVIOR
Automate and manage the attack
Easily sourced, regularly refreshed Actions taken to hide, react when blocked
Distribute and anonymize the attack

8. How to Perform an ATO Attack
• Reconnaissance
• Attack
• Credential Stuffing (Breach Data Dumps): 80% of users recycle
passwords
• Credential Cracking (Brute Forcing)
• Dictionary Attacks
• Rainbow Tables
• Guessing
• Password Spraying
• Retooling (Rinse and Repeat)
• All While Using…
• Proxies
• Botnets
• Automation Tools
• Custom “Config” Files
Common OpenBullet Use Case: ATOs

9. • Account Data Harvesting
• Credentials, Personal Information, Saved
Payment Data, Reward Points
• Fraud: Show Me the Money!!!
• 679,000 Mobile Account Takeovers
• $4B in Total Losses from ATO in 2019
• $1 Lost = $3 Expense to a Retail Company
• Common Attack Trends
• Increased Attack Traffic During Special Events
• Tool and “Config” Testing
• New Breach Released
• Off Hours, Weekends, and Holidays
ATO Goals
Sources:
https://www.outboundengine.com
Javelin Research
LexisNexis 2019 Cost of Retail Fraud

10. Typical Attackers
Advanced “Hacker”
• Developer
• Targeted Attacker
• Programmer for Hire
• Works in the Shadows
• Expert Skill Level
• “Low & Slow” attacks
• Persistent retooling
Organized Retail Crime
• Opportunistic/Targeted
• Moderate/Advanced Skill Level
• Networked
• Money Driven
• Reconnaissance
• Reverse Engineering
• Dedicated/Rotating Proxies
Script Kiddies
• Opportunistic
• Low Skill Level
• YouTube Taught
• “Plug & Play”
• Little to No Reconnaissance
• Cheap/Low Quality Proxies

11. • Start with Regular Google Search
• YOURCOMPANY config
• YOUROMPANY blackbullet
• Google Dorking Examples:
• Intext: OR allintext:
• intext: “YOURCOMPANY config”
• allintext: “YOURCOMPANY blackbullet”
• Where to Look
• Hacking Forums
• intext: “YOURCOMPANY” inurl: “www.nulled.to”
• Nulled.to
• Cracked.to
• Crackingking.com
• Sickaccountshop.com
• Other Sources: Dark or Deep Web, Reddit,
Telegram, Discord
Becoming Proactive: Lets Get Dorking!

12. Bot Defense
Demonstration

13. Cequence Bot Defense
• Automatically see the
applications and API endpoints
attackers are targeting
• Extract & analyze interesting
data from research
Discover
• Analyze bot traffic with
predefined rules that focus on
attack Tools, Infrastructure,
Credentials, & Behavior
Detect
• Automated policies to block
bots as they retool and
adapt their behavior
Defend

14. • Get involved, be proactive, simple searches
can uncover troves of info
• Understand the tools your adversaries are
using – they are more sophisticated than
ever before
• Ask for help and advice – collectively, your
defensive efforts will be stronger (this
includes leveraging vendor relationships as
well)
Key Takeaways

15. • Start preventing bot attacks today!
No JavaScript and SDK required - the industry’s
only patented ML-based bot analysis engine
Not a Blackbox: Integrate behavioral fingerprint
data with your security infrastructure
Deployment Flexibility: Data center, the public
cloud, or SaaS
• Visit us at www.cequence.ai
Bot Defense 30-Day Free Trial
https://www.cequence.ai/botdefense-saas-free-trial/

16. Thank You