Brinztech Alert: Updated “Hackus Mail Checker” Tool Shared: Automated Credential Stuffing Targeting IMAP/POP3

Dark Web News Analysis

A threat actor has shared a new, cracked, or updated version of the “Hackus Mail Checker” on a major cybercrime forum. This tool is a specialized “All-in-One” application designed for credential stuffing—the automated testing of stolen username/password pairs against email services.

Brinztech Analysis:

• The Tool’s Purpose: Hackus is not a penetration testing tool; it is purpose-built for cybercrime. It automates the validation of millions of leaked credentials to identify working email accounts.
• Targeted Protocols (IMAP/POP3): The tool explicitly targets IMAP and POP3 protocols. Attackers prefer these legacy protocols because they often lack the robust rate-limiting and behavioral analysis checks found on web-based login portals (HTTP/HTTPS). Crucially, many organizations inadvertently leave legacy authentication enabled, allowing tools like Hackus to bypass MFA enforcement that only applies to web logins.
• New Capabilities: The updated version reportedly includes:
  • Automated Captcha Solving: To bypass security challenges.
  • Advanced Proxy Rotation: To evade IP bans by cycling through thousands of residential IPs.
  • “Search” Functionality: The ability to scan compromised inboxes for specific keywords (e.g., “Reset Password,” “Bank,” “Wallet,” “PayPal”) immediately upon successful login.

Key Cybersecurity Insights

This release represents a “democratization” of account takeover capabilities:

• Lowered Barrier to Entry: By sharing this tool for free or at a low cost, the threat actor enables low-skill “script kiddies” to launch sophisticated attacks that previously required custom coding.
• The “Legacy Auth” Blind Spot: The tool’s effectiveness relies on the persistence of legacy authentication. While modern OAuth 2.0 and MFA secure web access, IMAP/POP3 ports (143, 993, 110, 995) often remain open to the internet with basic user/pass authentication active, creating a massive attack surface.
• Credential Stuffing Lifecycle: This tool is the engine of the “Combo List economy.” Attackers take data from one breach (e.g., a gaming site leak), run it through Hackus against Gmail/Outlook/Yahoo, and then resell the valid accounts to other criminals for spamming or financial fraud.

Mitigation Strategies

In response to this tool’s circulation, organizations must harden their email infrastructure:

• Disable Legacy Authentication (Critical): The most effective defense against Hackus is to disable IMAP and POP3 entirely if not needed. If they are required for legacy applications, restrict access to specific trusted IP ranges.
• Enforce MFA on All Protocols: Ensure your Multi-Factor Authentication (MFA) policy extends to all authentication flows. Microsoft 365 and Google Workspace administrators should disable “Basic Authentication” to force modern login challenges that Hackus cannot easily bypass.
• Rate Limiting: Implement strict rate limiting on login attempts from a single IP or subnet. Since Hackus uses proxy rotation, also monitor for “impossible travel” or high-velocity login failures across the tenant.
• Password Policy: Enforce a ban on common passwords. Credential stuffing relies on users reusing passwords; checking new passwords against a “breached password” database (like Have I Been Pwned) prevents vulnerable credentials from being set.

Secure Your Business with Brinztech — Global Cybersecurity Solutions Brinztech protects organizations worldwide from evolving cyber threats. Whether you’re a startup or a global enterprise, our expert solutions keep your digital assets safe and your operations running smoothly.

Questions or Feedback? For expert advice, use our ‘Ask an Analyst’ feature. Brinztech does not warrant the validity of external claims. For general inquiries or to report this post, please email us: contact@brinztech.com