What are credentials?

In the field of information technology, credentials refer to specific data or authentication tools required to verify the identity of a user, authenticate them and grant access to a system or network ID. Credentials are extremely important when it comes to securing a company’s network infrastructure, protecting both their employees and customers, and safeguarding their assets.

And all it takes is one ‘good’ credential – that is, one which has not been blocked in time by the owner or its security team – for an attacker to compromise the organizations’ infrastructure and cause havoc.

Once inside, advanced cybercriminals can move laterally, placing backdoors, RATs and other software to become persistent, exfiltrate the data of employees or customers to resell or utilize for their own financial gain. Different kinds of credentials are used for authentication every day, from physical keys to tokens and cards, to digital private keys, session cookies, digital certificates on websites… however, all of them are vulnerable if you use the right tools or techniques. In terms of enterprise security, the most widely used and most easily compromised are login-password credentials, generating a significant amount of risk to any organization. Credential theft is a growing industry within the cybercriminal ecosystem for the trade and direct use of compromised login-password credentials. The market for credential theft is extremely broad with very high potential as a result of the proliferation of cheap malware kits available online, an increase in active stealer campaigns globally, and ever-more sophisticated tactics, techniques and procedures implemented by cybercriminals. Binding them all together though, is freshness.

Why is freshness so important?

The fresher the compromised credential, the higher the chance cybercriminals can achieve their financial objective. There are several reasons behind this. Credentials are rarely used by cybercriminals in ‘real-time.’ Unless the credential is compromised in highly targeted attacks, cybercriminals require time to analyze the reams of data that they capture. This process of filtration and extraction enables them to pull out ‘prime’ credentials either to sell in illegal underground marketplaces or use them for further exploitation. On the flipside, the sooner that these compromised credentials are detected, the sooner security teams can remediate them. This is where cyberthreat intelligence services – like our powerful Credentials detection module – come into their own. If stolen credential information can be detected very early on, no more than a few days after they have been compromised, the impact of the theft on the business can be massively reduced.

What are cybercriminals doing with your stolen passwords?

What are the cybercriminals trying to achieve?

To achieve their final goal – which more often than not is profit – cybercriminals usually have one of the following objectives:

• Fraud, through an account takeover, from transfers and purchases to money laundering and insurance scams
• Blackmail, where sensitive or confidential information is not sold but rather ransomed back to original owners
• Distributing crimeware, using mainly e-mail, system and social network credentials or injecting malicious code or content into websites
• Reputational damage, to harm the image of the company
• Hacktivism, where hackers can perform defacements, expose controversial information or impersonate well-known people on social media
• Identity theft, with financial loss and reputational damage as its consequence
• Espionage, ranging from individual to corporate to nation-state operations where stolen accounts are used to spy and gather information from legitimate owners

Is your organization at risk?

There is no getting away from the fact that all industries are impacted by credential theft. There are a variety of ways that cybercriminals can turn a profit from gaining login access, regardless of sector. Here we offer a summary of how compromised credentials can be used by cybercriminals generally, and also how various verticals are impacted more specifically.

General

Email or social media account takeovers can be extremely damaging to organizations. They are typically used to perform spam and phishing campaigns or spread malware, but can also be used for blackmail to great effect. Spam campaigns are one the most widely-used methods of compromise, and indeed some spambots, such as Geodo/Emotet, automatically steal e-mail credentials to continue performing malicious activity. For employees, impact might be relatively low as an account may be swiftly blocked. When an e-mail account belongs to a director of a company however, there is a high chance that it is used to carry out CEO fraud (also known as BEC attack). Here, a compromised account is used by attackers to impersonate the executive and urge employees to make a transfer. Another possibility is that the account is used to send malware to the recipient, leading to a targeted attack and possibly ending up in a serious intrusion. The impact in the case of CEO fraud can be very high if the attack is successful, and many different sectors are known to have been targeted using this technique. Other impersonations may lead to identity theft if the attacker tries to perform account takeovers in services where the compromised account is used to recover or reset the password. This is a serious problem because it is difficult for the individual victim to recover access. For companies, this may also lead to further attacks, due to the fact that the number of compromised accounts is higher than before, and therefore the attack surface much wider. Additionally, depending on the confidentiality and importance of the information stored in the e-mail account, the credential theft may end up being used for espionage or blackmail. For all organizations, stolen credentials allowing the administration of websites like FTP or Content Management System (CMS) accounts are a powerful tool which can cause a lot of damage to the owners. Those accounts are used by hacktivists and script-kiddies to perform defacements of public pages, to protest against a specific subject or just to prove that the group is able to attack any website. Other attackers use the site administration access to inject additional Javascript code, allowing them to keep stealing credentials or credit cards. Cybercriminals can also use code injection to configure hidden iframes and transparent redirections of the users to exploit kit landing pages where the victims are infected with malware. Recently, due to the growing popularity of cryptocurrencies, mining code has been spotted in compromised websites, making the visitors mine virtual currencies in behalf of the criminals.

Banking & Finance

The impact of credentials which grant access to online banking depends on security measures implemented by the bank. If additional authentication mechanisms are not used effectively to protect the most important operations like wire transfers, personal information modification, credit card management, etc. Credential Theft on Financial Services can have an extremely high impact.

Insurance

Cybercriminals can use insurance accounts for several different types of fraud. For example, they might change payee information to receive insurance refunds, rather the legitimate policy holder, or use a stolen account to fill in false claims. Besides that, access to sensitive information stored in those accounts can be used to be sold in underground markets or even blackmail or kidnap the owners. Although kidnapping could be seen as a bit extreme, in some countries insurance information has been used to choose wealthy victims, kidnap them and ask for a ransom. Depending on the insurance company and the country where it is located, insurance fraud can impact the policy holder or the insurance company, although in most cases it’s the company that takes the hit.

Retailers and e-commerce

Having access to an account of a retailer or e-commerce company normally allows the attacker to perform purchases using the stolen account balance or configured payment method. Therefore, credential theft can lead to fraudulent transactions at the user level. However, professional criminals can also use retailers and e-commerce to launder money and this costs the organization a significant amount each year.

How can you defend from credential theft?

Organizations should look to a holistic approach when it comes their cyberdefense. Admittedly there is no single measure or technology that can achieve total coverage, so organizations need to put in place different complementary solutions to minimize both risk and impact. Companies should also consider how strong they look at three stages: before, during and after attack. In other words, asking yourself what measures you have in place for prevention, detection and response should be on the minds of every CISO, CERT, IRT and threat intelligence team.

Preventing credential theft

Education

As with many aspects of cybersecurity, education is key to mitigating attacks. Do all employees know how to recognize a phishing email, for example? Under no circumstances should an IT or security team be the only group within a company that knows how to identify potentially malicious activity. The ability to recognize when credentials might be compromised can save a huge amount of pain and financial loss. Any request for credentials should be treated as guilty until proven innocent. It may appear that the responsibility rests on the user ultimately rather than the technology – and this is true. The end user is both the weakest and strongest link in the chain, and a ‘human touch’ complemented by threat intelligence is often the best way of protecting an organization. In the case of phishing, escalation processes which ensure that email requests are validated mean that there is always a point of human verification.

Threat Intelligence tools

Targeted threat intelligence modules can also work to prevent attacks. For example, aggressively hunting malware aimed at your organization enables forensic reporting on behaviors that could compromise your network and result in credential theft. Robust and continuous analysis of samples in the wild is available using our targeted malware module. Modules which combat phishing attempts proactively detect campaigns before they can have an impact. Analysis and reporting on these potential attacks can then be shared with employees in an education drive to ensure that they, and your organization, do not become victims.

Smart password use

There are also a number of fairly straightforward methods to prevent credential theft. Password reuse should be avoided at all costs, for example. Automated credential stuffing means that once an attacker has one password, it can be very quickly tested on other domains to compromise systems further. A quick fix to this is to simply avoid reusing passwords with a strong password policy. In the same vein, sharing credentials between parties doubles your risk. Practically speaking this is often to save time and money (sharing subscriptions internally at a company, for example) but exposing credentials even internally means that there is a greater chance of compromise.

Red teaming

For organizations with an established security setup or those that work with security providers, ‘red teaming’ is recommended, meaning that there is a designated group with tactical experience who are persistently challenging security protocols. The idea is to identify weaknesses before the bad guys do. To be effective, they must operate relatively independently, challenging the assumptions of security teams and trying a variety of attack techniques without prior notice to employees. These sort of ‘surprise’ attacks, on a routine but irregular basis, can be most effective in exposing flaws and weaknesses in your security posture. Generally, red teaming is an immensely valuable method to strengthen your organization’s security posture.

One-time passwords, two-factor authentication, multi-factor authentication

Many sites outside of financial services are now using two-factor authentication processes, from security questions to physical passcards to messages sent to mobile devices. Even more secure are authentication processes that use more than two factors – multi-factor authentication (MFA). The benefit of using these is that an attacker is less likely to have access to more than one factor than the stolen password. Single sign-on tools and password vaults both simplify the user experience and also act to mitigate potential theft. However, though password vaults do often help create and store strong credentials, they often become targets themselves because of the amount of valuable data stored. One-time passwords (OTPs) on the other hand are particularly effective, given that they often incorporate 2FA/MFA and removes the need to memorize multiple passwords.

Detecting credential theft

Continuous cyber-hygiene within your organization can help prevent attacks, as well as mitigate their impact if and when one happens. Setting the appropriate alerts which detect intrusions can offer some protection, but an ongoing process of pentesting and patching is crucial for safeguarding your company credentials. The bad guys are constantly testing new ways to exploit your infrastructure, so remaining static when it comes to your security protocols is a sure-fire way to get breached.

Threat intelligence can help you optimize your detection methods. For example, identifying a sudden change in connection location might offer a clue that your organization is being targeted. When these are spotted, processes which allow you to separate these accounts from your infrastructure should be employed to mitigate any potential impact.

Further, enhancing your visibility of crimeservers can rapidly reduce exploitation time by adversaries and improve incident response time. You are then able to employ fast-blocking techniques to prevent future attacks, and ongoing monitoring.

Reacting to credential theft

Using threat intelligence services can significantly reduce the damage caused by credential theft. Blueliv’s MRTI feed arms users with ultra-fresh data to protect assets and eliminate blind spots in the threat landscape. Predictive and actionable intelligence enables organizations to block potential intrusions at the firewall level, plugging holes before an attacker can get in. We have technology to help companies identify leaked, stolen and sold user credentials. We find the compromised information in real-time on the open, deep and dark web, along with information about relevant malware used to steal it. A combination of sinkholes, honeypots, crawlers and sensors are continuously searching for these compromised credentials – the sooner they are identified, the sooner they can be retrieved, and the impact mitigated. You can find stolen credentials in underground marketplaces, and often cybercriminals will simply buy and sell them online. Detecting them early can not only prevent additional breaches, but force IT security teams to locate the sources of the initial attacks and patch vulnerabilities so it cannot occur again through that vector. In the event of a breach or suspected breach, the first thing to do is also the most obvious: change your passwords! In fact, this action should be done regularly anyway, along with reminders never to share them. However, before changing the password it is critical to making sure the system is no longer compromised.

Once credential theft has occurred and retrieval processes put in place, it is likely that it’ll be all hands on deck to find the hole and plug it, fast. It is strongly recommended that security protocols dictate that this is an ongoing project, rather than after the event.

While pentesting is usually employed to test network resilience, similar methods can be used to test for vulnerabilities that may allow attackers to steal credentials. For example, it is worth exploring login potential using genuine credentials from outside your network, particularly if you use firewalls to restrict access to your infrastructure unless you’re within it.

How are credentials stolen?

This section provides some deeper information about the methods used to steal credentials. If you can get inside the mind of the bad guys and understand their tactics, you can know what you’re looking out for and adjust your security posture accordingly. Depending on their skill set, resources and varying levels of protection deployed by the organization, cybercriminals use a variety of methods to steal credentials.

Phishing

Phishing is a technique which relies on the single weakest (and strongest) link in the cybersecurity chain – the end user. Using social engineering methods, where victims are deceived by a malicious email or link, or psychologically manipulated where their natural inclination to trust is taken advantage of. Social engineering is the psychological manipulation of victims and doesn’t have to be technical. Where consumer-focused phishing campaigns are often indiscriminate and fairly easy to spot to a trained eye, corporate credential theft is usually a much more targeted effort, known as spearphishing. Cybercriminals put a lot of resource into researching their target, for example identifying specific end users on social networks whose credentials will help them achieve their objective, before crafting sophisticated emails or websites which are much harder to distinguish from the legitimate site. Often, attackers will register a similar domain to their target and take advantage of users’ mistakes by typosquatting, so it can raise as few suspicions as possible. Like malware-as-a-service, phishing kits can be bought in cybercrime forums, modified and reused depending on requirements – these are usually deployed by less-skilled attackers.

The most advanced phishing attacks are those conducted in real-time, which can even get around two- or multi-factor authentication mechanisms and hardware tokens.

In the case of banking credential theft, for example, cybercriminals use special control panels to send a message to the victim after they insert their credentials, prompting them to enter additional details which are then harvested. Even more successful are those control panels which dynamically change the message from phishing pages depending on the victims’ response.

Malware

Many organizations tend to store credentials permanently in computers, using browser vaults or configuration files, while third-party applications like email or FTP software use their own methods to store passwords in a ‘safe’ way. But these are vulnerable Stealers take advantage of this and try to collect usernames and passwords from these locations and send them over to the control panel (Command and Control, C2 or C&C). The types of information that stealers are after are quite varied, but most look for:

• Passwords, cookies and certificates stored by web browsers
• Credentials stored by third-party applications: FTP, mail, downloader managers, SSH, Telnet, VPN, RDP, IM, gaming, cryptocurrency exchanges, etc.
• Cryptocurrency wallets
• Clipboard data
• Keystrokes
• Screenshots and screen/webcam recordings
• HTTP/HTTPs traffic

These credentials might be stored in plain text format, but it might also be the case that they are encrypted using a custom algorithm depending on the related software. Some stealers, however, can decrypt these encrypted files and extract credentials from them. You can visit our blog post detailing some of the most dangerous stealers here, including Pony, Agent Tesla, AZORult, KeyBase and LokiPWS. Keyloggers are also a major threat: they are capable of stealing passwords as they are typed. These days, most stealers and trojans include keylogging functionality. In fact, it is now difficult to find malware families providing solely keylogging functionality. The malicious code collects all keystrokes and stores them on disk, also additing context, such as the specific running processes or window title from where the keys were stolen. It is usually stored locally in the infected system before being sent later to the malicious control panel. But these two types of malware families are not the only ones exfiltrating credentials. Banking trojans have been doing this for years, make use of Man-in-the-Browser (MitB) techniques like transparent redirections to phishing pages where the browser security looks legitimate (‘web fakes’), or injection of code to modify the web browser content before the user actually can see it (‘web injects’). Besides this, they often have built in functionality known as form-grabbing: this makes banking trojans a threat not only to the financial sector, but for many other sectors, as non-banking credentials are exfiltrated to the botnets’ panels too.

Form-grabbing means botnets can collect credentials from any type of online service, indiscriminate of sector.

The objective is to harvest any form data sent by the user using a web browser and send it to the malicious control panel. In order to achieve this, the trojan will hook different API calls, depending on the target browser, and intercept data sent to these functions before it is sent to the Internet. The technique can collect an impressive amount of stolen data, including credentials for all sorts of online services, no matter which service they are providing. All this data ends up in the botnet databases, which must be capable of storing and indexing it efficiently so the administrators are able to search for specific credentials. Other malware types, such as backdoors or remote access trojans (RATs) might not exfiltrate credentials directly, but they could help the attackers to perform targeted attacks and lead to data breach. Besides these types of malware, some malware families perform what are known as pharming attacks. These attacks modify legitimate DNS responses to return malicious IPs rather than the legitimate website IP, by modifying the host’s file or hijacking and modifying DNS responses via API hooking. The attackers then redirect the victims to the malicious server where a phishing page is normally hosted. Compared to phishing attacks, most malware infections require greater knowledge and resources to implement successfully, but it is still possible to buy cheap kits or use source code leaks to launch an attack. On the other hand, targeted malware is used by professional cybercriminal groups using complex techniques with very ambitious objectives. It is thus uncommon to see it spread widely.

Man-in-the-Browser attacks

Credentials can be harvested in a variety of ways, many of which are reliant on exploiting technical vulnerabilities. Others are a result of monitoring and targeting the user’s communications channels. Man-in-the-Browser attacks see the cybercriminal act as a proxy between the victim and the legitimate service to which the user desires access – either modifying communication between parties or passively monitoring communications. These attacks can take place at the network level by sniffing network traffic or redirecting it. Typical scenarios where this kind of attack happens include fake WiFi hotspots (also known as ‘Evil Twins’), cybercafés or computers located in public places like libraries, coffee shops etc. After a network intrusion, MitM attacks are also quite common. Another kind of MitM attack is performed at the server level. Some online services offer proxies or VPN connections that users can use to navigate more anonymously. However, a potential risk is that some companies use them to intercept traffic and steal users’ credentials as it is transmitted through their servers and also at the server level.

System and website vulnerabilities

While malware infections are one of the most important attack vectors for compromise, vulnerable or misconfigured systems also offer an open door to cybercriminals. Often, attackers scan the Internet to find easy targets which they can compromise. Most of the time they look for well-known vulnerabilities or misconfigured systems. When they target websites they usually try to exploit SQL vulnerabilities and security problems allowing them to execute code, read source code and upload or modify files. In the case of SQL injections, attackers try to extract credentials to administrate the Content Management System (CMS) or download the whole database directly. In the case of vulnerabilities that allow modification of the website files, attackers could add specific code in the server or client-side in order to extract credentials and send them to a control panel, e-mail address, FTP server, etc. While malware infections are one of the most important attack vectors for compromise, vulnerable or misconfigured systems also present an open door for cybercriminals. Once inside the infrastructure, lateral movement techniques may be used to maximize the impact of the breach, gathering credential information. Databases are high risk, since they may contain a huge amount of credential information for multiple users – whether these are employees, customers or third parties.

Brute-force and dictionary attacks

Brute-force attacks attempt to guess valid logins, gain access to a network, and harvest credentials. It is called a brute-force attack as it is an attempt to discover a password by systematically trying every possible combination of characters until the correct combination allows access. Depending on the complexity of the password, however, there could be billions of different permutations, so often attackers commence with words that can be found in the dictionary, or slightly modified ones – most people use these rather than completely random passwords. A number of users still use easy and common passwords like “12345”, “admin” or “password”, but according to our research, the figure for these is no great than 2% of the total of passwords used. As more leaked databases are found on the Internet or in underground forums, it is common to see attackers trying their credentials to log in to different online services by reusing passwords. An attack tool that is becoming increasingly prevalent is the account checker, which takes lists of already-compromised login credentials and tests them against certain targeted websites – otherwise known as credential stuffing. Packages are cheaply available online, reducing the technical burden required to attack. It should be noted that the quality of credentials from leaked databases is generally lower than those exfiltrated by malware. The latter provides fresher credentials, rather than those which are leaked: these usually include a high number of outdated passwords which are not useful to the attackers.

What’s happening to the credentials after their theft?

Through ownership transfer or credential trading, cybercriminals will often try to sell stolen accounts in underground forums or markets. Sometimes, the trade might actually be without any direct profit for the owners, but rather to develop a relationship with the more advanced attackers with whom they trade. There are a number of markets, forums and websites where someone can sell and buy credentials. Some of these sites are ‘hidden’ on the Dark Web, but others are on the visible part of the Internet (or clearnet). There are specific markets for credentials and other more general markets that mix credentials with services and materials like malware kits, credit cards, medicines, drugs, weapons, ID documents/passports, etc. Our infrastructure is constantly crawling these markets for sensitive credentials and other information – check out our dedicated Dark Web module for more information around how we do this.

Generally speaking, selling credentials in these underground forums and markets is probably the easiest way to get rid of a large number of stolen passwords.

This does not mean that the operation will be profitable though since a single credential might not cost above $10 on average. For pricelists relating to the varying types of credentials that Blueliv research has detected, check out our report: The Credential Theft Ecosystem. Following credential trade, cybercriminal groups with fewer resources often share stolen passwords with more professional outfits. These more advanced groups are often capable of performing more sophisticated or targeted attacks on an organization, such as CEO fraud (more commonly known as Business Email Compromise, or BEC), massive website compromises to inject malicious Javascript code, seek to exfiltrate valuable information for corporate espionage and the like. These targeted attacks have seen significant increases in subtlety, sophistication and resultingly, payoff. With BEC, for example, compromised e-mail accounts can be used to perform spam and phishing campaigns and distribute malware internally – imagine receiving an attachment from an account purporting to be your CEO or CFO, would you open the attachment?

What threat intelligence tools are available?

Credential theft is a multi-million euro industry for cybercriminals. Most of the time, attackers seek a financial benefit and return on investment for the account takeover. Although a single stolen credential might not appear a major incident for a large company, it means leaving a door open to cybercriminals. The consequences of not protecting user data correctly will also end in financial loss and reputational damage when regulations like GDPR are implemented appropriately. Corporate accounts must be protected but personal accounts used in devices belonging to a company are also a risk to an organization. We recommend an enforced policy to control this use across the board, but at the very least protecting accounts belonging to VIPs. A significant number of Gmail, Yahoo, Outlook and other e-mail providers’ accounts are stolen every day, giving rise to a level of risk that cannot be understated. Detecting the exfiltration of a credential to a malware C2, a public website or an underground forum helps to mitigate the risk of a data breach, fraudulent transfers or identity theft, but there are targeted threat intelligence services that can help. Threat Intelligence helps you prevent, detect, and react. Proactive threat monitoring improves resilience in several ways, but the key is using fresh, actionable intelligence to eliminate blind spots in your threat landscape. Monitoring should go far beyond the standard or even deep web and include the dark web too.

Summary

The best way to fight cybercrime is to operate in much the same way as the bad guys. Where they build communities to exchange information and TTPs, so must we. The Credential Theft Ecosystem report embodies this approach – it is designed to help organizations understand the lifecycle of a compromised credential and keep their organizations’ data safe. Blueliv also hosts a global community of thousands of cybersecurity experts and encourages them to share news, views, IOCs and more – the Blueliv Threat Exchange Network. It gives members access to our free proprietary elastic sandbox, a close-to real-time cyberthreat map and it encourages information sharing. The growing global community is free to join – the fight against cybercrime is a collaborative effort.