Cybercriminals today have moved on from obsolete hacking techniques. Techniques that are no longer effective against the sophisticated cybersecurity nets deployed by the world’s biggest corporations. Instead, they’ve found a new element to compromise – the end-user. Using sophisticated social engineering and phishing tactics, cyber attackers gain access to sensitive data by compromising end users’ identities and credentials. According to the Verizon 2017 Data Breach Investigation Report, 81% of data breaches leveraged stolen or weak credentials. These credentials further open up access to systems, networks, and databases, basically opening up the entire vault for malicious extraction.
Add to it the pandemic-induced remote work phenomenon, and you can see credential harvesting becoming the top attack vector. In fact, the 2020 US Government threat report found that 71.5% of all phishing attacks on federal employees were related to credential harvesting. With nearly 72% of those employees agreeing to have clicked on malicious links contained in phishing emails, it becomes clearer why attackers are choosing to focus on credential harvesting to gain necessary leverage.
The growing risk of employees and customers falling prey to a credential harvesting campaign is further legitimized by the recent spate of breaches. A recent Reddit breach stemmed from credential harvesting, and so did the attack on UnityPoint Health, Iowa. The UK’s National Cyber Security Center also sent out an alert to all industries informing them of a phishing campaign built on stolen credentials harvested via cloned login pages.
Credential harvesting is often the first step as part of a larger, coordinated attack. It is used to gain initial access to the systems before the next phase of the attack is introduced. By understanding how credential harvesting works and how it can be contained, SOC teams can gain an upper hand in their fight against cybercriminals.
What is credential harvesting?
Also known as password harvesting, credential harvesting is a process cybercriminals use to steal legitimate usernames, passwords, private emails, and email addresses through data breaches. Not to be confused with phishing, credential harvesting uses a wide variety of Tactics, Techniques, and Procedures (TTP) to gain illegitimate access to valid credentials.
The stolen login data can then either be sold to the highest bidders on the dark web or be used to move laterally within systems with increasing privilege to steal even more sensitive data. Another avenue that many cyber criminals are opting for is using the data as leverage to demand ransoms. Many ingenious attackers have also successfully tried to embezzle money with the stolen credentials. While there are many different motivators for this crime, including corporate espionage, the point is to prevent this attack from happening in the first place.
What are the most common TTP for credential harvesting?
Phishing
This is the classic way to steal login data. Phishing emails are usually cloaked and disguised to mimic actual login pages. By embedding the malicious links in Word or PDF documents, attackers can bypass most firewalls and email protection systems. The links further take the user to compromised websites that also look familiar. Unsuspecting users type in their username and password only to be redirected to another page. Most users don’t even realize that their credentials have been stolen.
Phishing emails use comprehensive social engineering tactics to dupe users. They can even impersonate actual company employees to add another layer of legitimacy.
Learn more about this specific type of phishing scam in our blog on Business Email Compromise.
Man-in-the-middle
MitM attacks rely on public WiFi networks to get the work done. Criminals set up compromised routers that masquerade as legitimate businesses or public WiFi spots to attract users. Users who connect to the WiFi network give up complete access to the cybercriminal to track and record all their online activity.
Password dumping tools
MimiKatz is a password dumping tool that can automatically extract passwords and hashes from the memories of infected systems. Even one compromised system can give attackers enough opportunity to move laterally within the system until they hit their goal. Malware like WannaMine has been known to use these tools to mine passwords.
How can SOC teams identify these threats?
Credential phishing is one of the biggest threats facing modern multinational corporations. SOC teams can spot and block these attacks well in time if they have access to threat intelligence. In this case, the kind of information that can be helpful can have a wide range. Everything from the type of access being sold by Initial Access Brokers (IABs) on the dark web to the vulnerabilities being exploited by hackers during attacks on other companies can give SOC teams an edge.
Another data point that security experts need to focus on is new domain registrations that might be typosquatting. Unlike before, it’s much easier to buy believable typosquat domains now due to the explosion in the number of Top-level domains (TLDs).
Unfortunately, it doesn’t end here. Copycat applications in app stores, fraudulent listings on online marketplaces, and impersonation on social media have made collecting threat intelligence a daunting task.
This is where AI and automation come in. By identifying and eliminating potential risks, before they even turn into full-scale security events, Bolster’s AI-based engine ensures that credential harvest attacks and phishing attacks are kept at bay.
If you want to learn more about how Bolster’s domain monitoring can empower your SOC team with AI and automation, contact us today.
