Stolen company credentials used within hours, study says
The worst-case scenario happened: company login credentials have been stolen. Do you still have a window of opportunity to make sure that the damage is controlled? As a study from Agari suggests, cybercriminals are fleet of foot, and the damage may have already been done.
Stolen login credentials are the foundation stone of data breaches, with lists of credentials freely available for purchase on dark web marketplaces. Credential marketplaces may be taken down, but they are quickly replaced by another pool of stolen credentials at the disposal of fraudsters wishing to facilitate data breaches and fraud. One such sales platform was “Slillpp,” thought to have caused over $200 million in losses in the U.S. and was recently removed by the U.S. Department of Justice (DOJ).
This latest Agari study is noteworthy as it shows the rapid nature of a credential-based attack and how stolen credentials are a starting point for other fraud events.
FREE role-guided training plans
Zero hour for credential loss
This recent delve into the murky world of cybercrime by Agari has yielded some important and worrying results. The Agari research objective was to understand the role of stolen credentials and the subsequent attack pathways they facilitated. The study was based on 8,000 phishing sites set up by Agari as honey pots to watch what happens when a credential falls into the hands of a fraudster.
Big and scary takeaways from the Agari study
- In 25% of cases, validation of credentials was automatic and instant; the researchers were able to place the attacks into three categories:
- Microsoft Account login page, saying “you have been signed out, please log in again”: Russian IPv6 address linked to automated credential validation
- Generic Microsoft Account login page: Swedish Amazon AWS IP address linked to automated credential validation
- Shared document Microsoft login page: linked to automated credential validation using various proxy IP addresses
- Whereas validation of credentials undergoes an automated check, the subsequent compromise of an account using the credentials was manual in 92% of cases. This makes sense, as an attacker can go into an account and look for sensitive data and financial information. An attacker can also use stealth, waiting for information to come into the account that can then be used for further fraud, including identity theft.
- Account compromise was fast, taking less than an hour in 20% of cases.
- Two-thirds of accounts were compromised within a day, and almost all accounts had been compromised within a week of credential theft.
- Many of the accounts were only accessed once. However, this access was often persistent, suggesting that the account was being used as an ongoing threat portal for intelligence gathering and redirection of emails.
Credential compromise outcomes
As well as timings, the report also explored what stolen credentials were used for subsequently:
Business Email Compromise (BEC)
BEC has always used an element of email compromise — hence the name. However, the tricks of the trade have evolved, and Vendor Email Compromise (VEC) is now part of a chain of fraud that links phishing to the theft of credentials, allowing a fraudster to redirect vendor emails to their account for surveillance. This intelligence pays off by allowing the fraudster to track the operations of company accounts payable. The fraudster can then insert a fake invoice and bank details into the email communications at the right moment to collect the funds.
Steal and pivot
Not all the threat actors used stolen credentials to only access email accounts. Some pivoted to other Office 365 apps. The team at Agari believed that the fraudsters were looking for valuable documents in the workspace. There was also evidence that malicious documents, such as fake invoices, were uploaded to a OneDrive folder to add legitimacy.
The circle of compromise
An outcome of the test was that the stolen credentials were used to propagate further phishing campaigns. One example in the report shows that threat actors used stolen credentials to create phishing campaigns based on a legitimate email account. In the example, the threat actor sent 6,500 emails impersonating a U.S. title company. The emails were sent to key industry contacts, stating the recipient had received a “secure message” as part of a real estate transaction. A link in an email led to a phishing site posing as a Microsoft Excel document.
FREE role-guided training plans
How to stop credentials from being stolen
The Verizon Data Breach Investigations Report states that 61% of breaches involve the use of compromised credentials. Of the patterns of attack identified in the Verizon report, 95% of organizations suffering credential stuffing attacks experienced between 637 and 3.3 billion malicious login attempts during the 12 months of the study. Linking the Agari and Verizon findings together paints a stark picture — protect your credentials or suffer the consequences.
Below are three key ways to prevent credential compromise.
Security awareness training and security hygiene practices
Credential phishing leading to further credential phishing is a never-ending cycle of compromise. The starting point in mitigating credential theft is to train staff on security awareness. This training must include security hygiene, such as not sharing passwords and teaching staff to recognize phishing attempts.
MFA and alerts
Robust authentication, such as using multi-factor authentication (MFA) for account access, can help alleviate credential theft. It won’t necessarily stop account compromise altogether, but a second factor will make it much harder to access an account. Coupling this with account access alerts that let a user (or administrator) know that an account has been accessed from an unusual location/device can help mitigate the attack, even if the account is compromised within minutes of credential theft. Add in rules that apply risk-based authentication to add another layer of defense against credential compromise.
Zero Trust access
Applying the principles of Zero Trust security can help to mitigate the impact of stolen company credentials. Zero Trust relies on identifying users and applying risk levels to each access event; every device, user and data access flow is authorized and authenticated under the ethos of “always verify, never trust.”
Stolen credentials are the starting point of a multitude of cyberattack types. The swiftness by which stolen credentials are used means that prevention is better than cure. To prevent stolen company credentials, an organization must turn to its staff to be ever watchful and to the principles of robust access control through a Zero Trust lens.
Sources
- Agari, Anatomy of a Compromised Account
- CISO Magazine, DoJ Takes Down Largest Stolen Credentials Marketplace ‘Slilpp’
- Verizon, 2021 Data Breach Investigations Report
- Infosec, Zero trust security: What is it?
In this Series
- Stolen company credentials used within hours, study says
- Free Valentine's Day cybersecurity cards: Keep your love secure!
- How to design effective cybersecurity policies
- What is attack surface management and how it makes the enterprise more secure
- Is a cybersecurity boot camp worth it?
- The aftermath: An analysis of recent security breaches
- Understanding cybersecurity breaches: Types, common causes and potential risks
- Breaking the Silo: Integrating Email Security with XDR
- What is Security Service Edge (SSE)?
- Cybersecurity in Biden’s era
- Password security: Using Active Directory password policy
- Inside a DDoS attack against a bank: What happened and how it was stopped
- Inside Capital One’s game-changing breach: What happened and key lessons
- A DevSecOps process for ransomware prevention
- What is Digital Risk Protection (DRP)?
- How to choose and harden your VPN: Best practices from NSA & CISA
- Will immersive technology evolve or solve cybercrime?
- Twitch and YouTube abuse: How to stop online harassment
- Can your personality indicate how you’ll react to a cyberthreat?
- The 5 biggest cryptocurrency heists of all time
- Pay GDPR? No thanks, we’d rather pay cybercriminals
- Customer data protection: A comprehensive cybersecurity guide for companies
- Online certification opportunities: 4 vendors who offer online certification exams [updated 2021]
- FLoC delayed: what does this mean for security and privacy?
- Don’t use CAPTCHA? Here are 9 CAPTCHA alternatives
- 10 ways to build a cybersecurity team that sticks
- Verizon DBIR 2021 summary: 7 things you should know
- 2021 cybersecurity executive order: Everything you need to know
- Kali Linux: Top 5 tools for stress testing
- Android security: 7 tips and tricks to secure you and your workforce [updated 2021]
- Mobile emulator farms: What are they and how they work
- 3 tracking technologies and their impact on privacy
- In-game currency & money laundering schemes: Fortnite, World of Warcraft & more
- Quantitative risk analysis [updated 2021]
- Understanding DNS sinkholes - A weapon against malware [updated 2021]
- Python for network penetration testing: An overview
- Python for exploit development: Common vulnerabilities and exploits
- Python for exploit development: All about buffer overflows
- Python language basics: understanding exception handling
- Python for pentesting: Programming, exploits and attacks
- Increasing security by hardening the CI/CD build infrastructure
- Pros and cons of public vs internal container image repositories
- CI/CD container security considerations
- Vulnerability scanning inside and outside the container
- How Docker primitives secure container environments
- Top 4 Zapier security risks
- Common container misconfigurations and how to prevent them
- Building container images using Dockerfile best practices
- Securing containers using Docker isolation
- Introduction to container security
- Top 8 Microsoft Teams security issues
Get certified and advance your career
- Exam Pass Guarantee
- Live instruction
- CompTIA, ISACA, (ISC)², Cisco, Microsoft and more!
General security
Free Valentine's Day cybersecurity cards: Keep your love secure!
General security
General security