General security

Stolen company credentials used within hours, study says

Susan Morrow
September 27, 2021 by
Susan Morrow

The worst-case scenario happened: company login credentials have been stolen. Do you still have a window of opportunity to make sure that the damage is controlled? As a study from Agari suggests, cybercriminals are fleet of foot, and the damage may have already been done.

Stolen login credentials are the foundation stone of data breaches, with lists of credentials freely available for purchase on dark web marketplaces. Credential marketplaces may be taken down, but they are quickly replaced by another pool of stolen credentials at the disposal of fraudsters wishing to facilitate data breaches and fraud. One such sales platform was “Slillpp,” thought to have caused over $200 million in losses in the U.S. and was recently removed by the U.S. Department of Justice (DOJ).

This latest Agari study is noteworthy as it shows the rapid nature of a credential-based attack and how stolen credentials are a starting point for other fraud events.

FREE role-guided training plans

FREE role-guided training plans

Get 12 cybersecurity training plans — one for each of the most common roles requested by employers.

Zero hour for credential loss

This recent delve into the murky world of cybercrime by Agari has yielded some important and worrying results. The Agari research objective was to understand the role of stolen credentials and the subsequent attack pathways they facilitated. The study was based on 8,000 phishing sites set up by Agari as honey pots to watch what happens when a credential falls into the hands of a fraudster.

Big and scary takeaways from the Agari study

  • In 25% of cases, validation of credentials was automatic and instant; the researchers were able to place the attacks into three categories:
    • Microsoft Account login page, saying “you have been signed out, please log in again”: Russian IPv6 address linked to automated credential validation
    • Generic Microsoft Account login page: Swedish Amazon AWS IP address linked to automated credential validation
    • Shared document Microsoft login page: linked to automated credential validation using various proxy IP addresses
  • Whereas validation of credentials undergoes an automated check, the subsequent compromise of an account using the credentials was manual in 92% of cases. This makes sense, as an attacker can go into an account and look for sensitive data and financial information. An attacker can also use stealth, waiting for information to come into the account that can then be used for further fraud, including identity theft.
  • Account compromise was fast, taking less than an hour in 20% of cases.
  • Two-thirds of accounts were compromised within a day, and almost all accounts had been compromised within a week of credential theft.
  • Many of the accounts were only accessed once. However, this access was often persistent, suggesting that the account was being used as an ongoing threat portal for intelligence gathering and redirection of emails.

Credential compromise outcomes

As well as timings, the report also explored what stolen credentials were used for subsequently:

Business Email Compromise (BEC)

BEC has always used an element of email compromise hence the name. However, the tricks of the trade have evolved, and Vendor Email Compromise (VEC) is now part of a chain of fraud that links phishing to the theft of credentials, allowing a fraudster to redirect vendor emails to their account for surveillance. This intelligence pays off by allowing the fraudster to track the operations of company accounts payable. The fraudster can then insert a fake invoice and bank details into the email communications at the right moment to collect the funds.

Steal and pivot

Not all the threat actors used stolen credentials to only access email accounts. Some pivoted to other Office 365 apps. The team at Agari believed that the fraudsters were looking for valuable documents in the workspace. There was also evidence that malicious documents, such as fake invoices, were uploaded to a OneDrive folder to add legitimacy.

The circle of compromise

An outcome of the test was that the stolen credentials were used to propagate further phishing campaigns. One example in the report shows that threat actors used stolen credentials to create phishing campaigns based on a legitimate email account. In the example, the threat actor sent 6,500 emails impersonating a U.S. title company. The emails were sent to key industry contacts, stating the recipient had received a “secure message” as part of a real estate transaction. A link in an email led to a phishing site posing as a Microsoft Excel document.

FREE role-guided training plans

FREE role-guided training plans

Get 12 cybersecurity training plans — one for each of the most common roles requested by employers.

How to stop credentials from being stolen

The Verizon Data Breach Investigations Report states that 61% of breaches involve the use of compromised credentials. Of the patterns of attack identified in the Verizon report, 95% of organizations suffering credential stuffing attacks experienced between 637 and 3.3 billion malicious login attempts during the 12 months of the study. Linking the Agari and Verizon findings together paints a stark picture protect your credentials or suffer the consequences.

Below are three key ways to prevent credential compromise.

Security awareness training and security hygiene practices

Credential phishing leading to further credential phishing is a never-ending cycle of compromise. The starting point in mitigating credential theft is to train staff on security awareness. This training must include security hygiene, such as not sharing passwords and teaching staff to recognize phishing attempts.

MFA and alerts

Robust authentication, such as using multi-factor authentication (MFA) for account access, can help alleviate credential theft. It won’t necessarily stop account compromise altogether, but a second factor will make it much harder to access an account. Coupling this with account access alerts that let a user (or administrator) know that an account has been accessed from an unusual location/device can help mitigate the attack, even if the account is compromised within minutes of credential theft. Add in rules that apply risk-based authentication to add another layer of defense against credential compromise.

Zero Trust access

Applying the principles of Zero Trust security can help to mitigate the impact of stolen company credentials. Zero Trust relies on identifying users and applying risk levels to each access event; every device, user and data access flow is authorized and authenticated under the ethos of “always verify, never trust.”

Stolen credentials are the starting point of a multitude of cyberattack types. The swiftness by which stolen credentials are used means that prevention is better than cure. To prevent stolen company credentials, an organization must turn to its staff to be ever watchful and to the principles of robust access control through a Zero Trust lens.



Susan Morrow
Susan Morrow

Susan Morrow is a cybersecurity and digital identity expert with over 20 years of experience. Before moving into the tech sector, she was an analytical chemist working in environmental and pharmaceutical analysis. Currently, Susan is Head of R&D at UK-based Avoco Secure.

Susan’s expertise includes usability, accessibility and data privacy within a consumer digital transaction context. She was named a 2020 Most Influential Women in UK Tech by Computer Weekly and shortlisted by WeAreTechWomen as a Top 100 Women in Tech. Susan is on the advisory board of Surfshark and Think Digital Partners, and regularly writes on identity and security for CSO Online and Infosec Resources. Her mantra is to ensure human beings control technology, not the other way around.