There is an activity called “Credential Stuffing that is very, very common for website owners to see. It starts with a list of usernames and passwords that you got from a data breach, phishing, trading with others, or buying on the Dark Web. You then put the list into a tool like MBA Sentry that checks across one or many websites to see how many accounts use that username/password combination. This works because many users reuse passwords across many sites and many sites use the users email address as their account name.
And, like learning everything else on this planet by watching tutorials on YouTube, you can find a lot of tutorials that also teach you how to use credential stuffing tools. That is a good source of intelligence on tools and techniques that you can use to learn about and monitor the space. The tutorials themselves are usually people showcasing their talents for hire, people trying to generate sales leads for their tool or plugin that helps you launch a credential stuffing attack, or people trying to get users to download their tool which also contains a trojan horse that will compromise your computer.
The Googledork itself constrains results to just YouTube and uses the phrase “Account Checker” which is what the criminals call their tools. They also abbreviate the term to “Acc Checker” and you’ll sometimes find that used instead. You can also add the name of your company, product, service, etc to find tools that just target you.
The Googledorks are…
site:youtube.com (“account checker|”acc checker”)
site:youtube.com (“account checker|”acc checker”) <your company or service>
When I watch these videos, I’m looking for either new tools, targets, or capabilities. As a result, I’ll skim a lot of the content watching the thumbnail until I get to a section that is interesting. Another way to use these videos is to pivot into the channel to see if they have any other interesting videos that you can u
For this series on Blue Team Googledorks, the introduction post has the information on how to generate your own searches and how to automate the process.
Published on March 26, 2021.
Last Updated on 3 months ago.
One thought on “Blue Team Googledorks: Account Checker Tutorials”