Breaking Down Fraud Flows: Credential Stuffing

October 22, 2019

Since being founded, we’ve investigated a wide variety of fraudsters and their lines of attack. This blog is the first in a series where we will share our knowledge and expertise to break down the flows of the most popular fraud attacks. We’ll start with credential stuffing, which is the first step in account takeover fraud, how and why it is so easy to carry out, and the most popular tools used. 

A credential stuffing attack is used to validate a list of stolen user credentials.This type of attack method first surfaced in 2014 and is currently a threat to all online businesses, especially the following 5:

  1. Retail - costing businesses $6 billion annually
  2. Video Streaming Services, Social Media & Entertainment - the video media sector experienced ~200m credential stuffing attempts 
  3. Financial Services - costing $1.7 billion annually in banking alone
  4. Higher Education
  5. Health Services

Before we present the most popular credential stuffing tools, let’s explore some critical background information regarding the ‘prerequisite’ skills and resources needed to carry out these attacks. 


The Person Behind the Attack

Based on our research, we have divided these fraudsters into two groups: “opportunists,” who are out for a quick attack; and “strategists,” who prepare for longer campaigns. You can tell them apart by their toolboxes and motivation levels, as follows:

 The Opportunist: 

  • Typically less skilled and after a “quick win”
  • Sees a free or paid script and CONFIG file online and uses it right away
  • Buys or acquires proxy and combo lists 
  • Is likely to use a 24/7 credential stuffers helpdesk

The Strategist: 

  • Typically more skilled, organized and meticulous 
  • Researches targets in-depth, looks for authentication failures to exploit
  • Chooses their tool carefully; often has a favorite 
  • Creates own CONFIG file
  • Buys or acquires proxy and combo lists 

It’s As Easy as 1, 2, 3

Credential stuffing requires just 3 resources, all of which can be acquired on both the Dark Web and the Grey Web. The fact that they can be found on both is testament to their accessibility. 

The resources comprise of:

  1. An automation tool
  2. A CONFIG file per application 
  3. Combo & proxy lists 

Credential Stuffing Bots

Credential stuffing attacks are carried out using an automated tool, popularly known as bots. They are used to run a repetitive action to quickly test the validity of stolen credentials. Bots empower fraudsters to efficiently and effectively scale their attacks easily, assessing for quality and quantity. 

Each bot requires its own custom-built data file called a CONFIG file in order to execute its task.


CONFIG files are “recipes” for bots, they are customized per tool and per website, and are easy to edit or update. They vary in sophistication, the more advanced ones support more complex login flows. 

Purchased files are often guaranteed to work for a certain amount of time and if they fail, the seller will update them in exchange for vouches - and for fraudsters, reputation is everything. Some bot sellers will choose to release free, high-quality CONFIG files just to generate a good reputation. As you will see below in the screenshot, listings of CONFIG files specify the tool and website or application it will work with.

Credential Stuffing: bot-specific CONFIG files available on the Grey Web 

Screenshot showing bot-specific CONFIG files available on the Grey Web 

Gucci CONFIG file - Credential Stuffing

Screenshot of a recently published CONFIG file for use against Gucci’s website

2-For-1: Per-Site Tools

The best ROI of a credential stuffing attack are said to come from using a per-site tool. This is a hard-coded tool where the script, CONFIG file and lists are all integrated. It does not exist for every site and can require a significant time investment (or money) on the fraudster’s end. It is a risky investment as, in the event that the website’s security or login process is changed or strengthened, the tool becomes worthless. Yet, this all-in-one tool is considered to provide the best ROI. 

X-Slayer is a well-known fraudster who has a reputation for selling high-quality per-site tools. A quick search on Google reveals YouTube tutorials how to use his tools, tool downloads and much more including tools he released for Netflix and Instagram. It’s doubtful his presence has not been felt by a lot of online businesses. 

Combo & Proxy Lists

These are very easy to come by and cheap to buy or free for the taking. 'Combo list' is the name given to the file that contains the usernames and passwords of user accounts, including other personal data that is available. A proxy list allows fraudsters to anonymize the traffic they are generating. 

The Most Popular Credential Stuffing Bots

  • Sentry MBA: One of the oldest and most popular bots, with over 1,000 config files available, costing $5-$20 each. Sentry is known to have been used in credential stuffing attacks against “large retailers” and Netflix, Instagram, and “Universal Email Address Checker,” with many “how to” videos on YouTube. 
  • SNIPR: Available since at least 2016 and costs $20. It comes with over 100 CONFIG files and supports 4 concurrent attacks. SNIPR was used in two recent credential stuffing attacks on Dunkin’ Donuts. 
  • STORM: Released in January 2018, STORM is unusual because it’s free (donations requested). It supports combo files of up to 20 million records. CONFIG files for using it in attacks against Netflix and other sites are easily found. 
  • Black Bullet/Open Bullet: Black Bullet was launched in 2018, costing $30-$50 with 530 CONFIG files. It can no longer be acquired but an open source version, Open Bullet, is available (donations are requested). CONFIG files that can be used against Netflix and other sites are easily found. 

How do fraudsters choose their tool?

In addition to the number of combo lists a bot can handle, fraudsters take the following into account when choosing a bot:

  • Speed: The faster the bot can operate, the more hits a fraudster will get per session
  • Efficiency: Even a small tweak in code can make a difference testing files with millions of combo pairs 
  • Complexity: Benefits opportunists who lack the knowledge to hack complicated software
  • Flexibility/Customization: Strategists value these qualities more than opportunists 
  • Convenience/ease of use: This is a recent trend - even strategists on the Dark Web, who previously didn’t care about these issues, are searching for tools that are easy to use. 

Price, however, is seldom considered since so many tools and CONFIG files are available for free -- many established hackers give files and tools away in return for recognition or “vouches.” 


Credential Stuffing in Perspective

There are many tools and best practices available to help protect your website or application from fraudsters but (a) it’s not easy to decide; (b) they are unable to catch credential stuffing attacks in-the-act; and (c) any new addition to your toolbox is likely to increase friction in the user experience - a big no-no in the consumer facing world.

Another option is to give yourself the extra edge by investing time in familiarizing yourself with both the Grey and Dark Webs: get to know fraudsters’ behaviors, engage in discussions, learn the latest tools and methods, or, even better, search for CONFIG files that contain your company’s name. It may tie up some resources in the beginning, but the long term benefits will make it worth your while.

Credential stuffing is a significant step in account takeover and being able to stop ATO attacks at this stage is critical: it can mean the difference between a slightly damaged public profile and exponential damages to both reputation and profits. Of course, we are advocates for behavioral biometrics, but we support all approaches to fraud prevention wholeheartedly.


Recent Posts

Peak Season 2020: Account Takeover is Here to Stay and Other Takeaways
It's Time We Confront These Common Myths About Behavioral Biometrics
[Infographic] Breaking Down the Fraud Flow of Account Takeover
Emulator Fraud-as-a-Service: The Threat Landscape Continues to Evolve
Why reCAPTCHA v3 for Enterprise Matters

Follow Us