Behind the Meteoric Rise of OpenBullet

A powerful, open-source penetration testing tool has become the password cracker of choice on the dark web, and its users are increasingly focused on getting access to streaming entertainment. In fact, interest in cracking Netflix passwords is almost as popular as cracking Amazon, eBay, and Walmart accounts combined. 

The tool in question is known as OpenBullet, which officially launched in May 2019 (there’s some evidence that it has existed well before that). Since that time, its popularity has skyrocketed, garnering 177,000 mentions across the dark web. There was an especially large spike in interest in the tool in March 2020, as COVID-19 lockdowns pushed a large variety of actors to the dark web. 

The reason for its popularity is simple: hackers with almost zero technical skills can use it. OpenBullet makes it easy for threat actors to automate attacks through a single console view using components that are easily bought on the dark web. Those components come in three basic forms: 

  • Combolists: Lists of potential username and passwords deployed in brute force password cracking attempt 
  • Configs: Website specific executable code that can be used to automate attacks and log successful attempts
  • Proxy access: Free and paid services that anonymize a user’s presence or make it seem like they are working from a specific geographic area. These services help users evade detection by automated security defenses, as well as law enforcement. 

Once a threat actor has obtained potential username and password combinations, they’ll need a script to automate the cracking attempts. Configs are scripted to work with a particular website or service - such as WalMart or Netflix, or Bank of America, three prominent targets documented in our report. The config automatically enters credentials from the list and if successful, records the authorization token for each one.

An example of a config for Shopify’s Oberlo website is seen below.

There were more than 80,000 posts regarding combolists on the dark web in 2020. A single hacking forum in 2020 had more than 50,000 mentions of configs. These figures provide significant insight into the scale of interest in these topics. 

Streaming services, financial services applications, and ecommerce websites were seemingly the most popular targets for password crackings. We know this by counting dark web posts in which people offer to buy configs targeting different services and websites Looking deeper into these three verticals, below is a list of the number of mentions of configs for the top three companies in each vertical: 

 

 

Company

Mentions

Streaming

Netflix

43,600

Streaming

Hulu

14,500

Streaming

Disney+

9,800

eCommerce

Amazon

24,000

eCommerce

eBay

15,000

eCommerce

Walmart

4,900

Financial Services

Bank of America

4,300

Financial Services

Chase

2,200

Financial Services

Wells Fargo

298

As you can see from the chart, streaming services lead the pack. At first glance this result might seem a little puzzling because the conventional wisdom holds that most criminal hacking is motivated by money. The relative level of security at streaming services could explain why: some streaming services don’t require two-factor authentication by default. 

It can’t be understated just how easy it is to buy configs and other attack components on the dark web. The interest in the purchase of configs, for example, could be an indication that the users of OpenBullet are rather unsophisticated. But it could also be yet another example of the dark web’s highly efficient division of labor. That is, the reason that threat actors advertise that they want to buy configs isn’t because they don’t know how to script them, but because it’s easier and faster. 

Offers to sell configs outnumber posts from people seeking to buy - which may indicate that dark web actors don’t feel any pressure to build them or learn how to build them. One Discord server provides lists of users available to develop configs upon request. 

For companies and security teams, the rise of plug-and-play attack tools has broadened the threat landscape. But the decentralized nature of the attack supply chain means that it is very hard for hacking plans to stay secret - if you know where to look.

Tools like OpenBullet may lower the barrier for entry into the hacker space, but because new hackers need to buy configs and combolists, they leave footprints in the dark web. While this report chronicles the interest in password cracking for nine companies, it shows that dark web monitoring and investigations are vital tools for the enterprise cybersecurity team.

To learn more on the rise of OpenBullet, download the full threat report, OpenBullet: The Threat Actor's New Magic Bullet.

Download Report