With Sentry MBA, criminals buy an off-the-shelf, ready-to-go solution and pair it with a list of stolen credentials. Hundreds of millions of stolen credentials are already available for sale on underground forums, a result of the recent wave of breaches.
Sentry MBA comes with a graphical user interface that makes it possible for a criminal with very basic skills to create a very sophisticated attack, said Agarwal.
"These are not brute force attacks," said Agarwal. "These are tailored attacks that simulate human behavior."
In particular, attacks are custom designed for each website individually. Working configurations for various websites are available in the criminal forums, and they specify in detail the location of the login pages and individual form fields, plus the rules for valid password construction and other details that make it possible for Sentry MBA to log into the site.
Finally, attackers can customize their attacks further. For example, to recognize keywords that indicate successful or failed login attempts.
One potential sign that a credential attack is ongoing is that login failure rates suddenly go up dramatically.
At that point, if defenders spot the attack early, they can turn on across-the-board second factor authentication, or swap out the login page for one that hasn't been seen before.
Shape Security, in fact, is in the business of doing the latter -- creating multiple login pages on the fly that look the same to human users and browsers for the disabled, but different to automated tools that read the underlying code to find form elements.
Sign up for CIO Asia eNewsletters.