Compromised Credentials: Tactics, Risks, Mitigation

The theft of users’ credentials is a growing industry. The market for compromised credentials is vast and has huge potential due to:

• The online availability of cheap malware kits
• The increase in active theft operations around the world
• The increasing sophistication of techniques implemented by threat actors

These factors have created a lucrative market for cybercriminals who are able to steal credentials and sell them on the black market. The stolen credentials can then be used to access personal and financial information, commit identity theft, or launch other cyberattacks.

Almost every website and application uses passwords to authenticate users, who have to deal with an increasing number of online accounts. As the need grows, users tend to reuse the same account-passwords combinations for many of the online services they use.

Unfortunately, the widespread use and reuse of passwords makes them attractive targets for cybercriminals, who know that stolen passwords provide an entry point to other accounts and services.

Each year, billions of compromised credentials appear online, either on the dark web, clear web, paste sites or in data dumps shared by cybercriminals. These credentials are then used by threat actors for account takeover attacks, fraud, and data theft.

While businesses try to protect their own sensitive information from attacks, customer information is stored in vulnerable databases all over the web. This results in identity fraud losses of totaling around $52 billion and affected 42 million U.S. adults in 2022 alone.

The identification of compromised customer accounts, targeted domains, and vulnerable passwords enables organizations to proactively build a better defense against account takeovers and fraudulent activities. Furthermore, the constant identification of customer accounts that have been compromised, provides ongoing fraud monitoring without impacting the user experience.

Collected data can be used to gain insight into which domains are being targeted and what the most vulnerable passwords are. This helps to prioritize risk mitigation strategies and protect the organization’s customers and their own reputation.

Uses of Compromised Credentials

An organization’s customers’ credentials are a valuable commodity in the cybercriminal market for 2 main  reasons:

1. They are relatively easy and cheap to obtain, requiring little effort from novice threat actors to
   get their hands on
2. The credentials can be developed and abused in a variety of other fraudulent activities, such as:

• Acquiring Additional PIIs and Data – after entering an account, threat actors can harvest more information, for example, credit cards, phone numbers, addresses, IDs, etc.
• Spam – a legitimate account is a good tool for scams and other deceitful activities.
• Phishing – under the disguise of a legitimate account, threat actors target the account owner’s contacts.
• Ransom Attacks – owners of valuable accounts might be forced to pay ransom to re-access their accounts
• Financial Fraud – accounts with access to financial data and the ability to execute transactions, such as credit cards, withdrawing funds and wiring money, are especially valuable to threat actors. Financial Fraud and Transaction Laundering can be executed with standard currencies, as well as cryptocurrencies, and even loyalty points or gift card credit.
• Promo Abuse – threat actors rely on multi-accounting techniques to gain as many sign-up or
  referral bonuses as possible.
• Card Testing – some accounts are only used to make small purchases, or to test credit cards. This helps threat actors to check the validity of stolen credit cards, which can then fuel their criminal buying sprees.
• Acquiring Access to Premium Accounts – especially popular for services with fee/membership-based services, such as Netflix, Spotify, and others Money Laundering or Money Mule Transactions
• Social Media Engagement – compromised accounts are used to run “bot farms” for social media engagement manipulation, such as followers and likes.

Compromised Credentials Tactics and Techniques

The foundation for exposed customer credentials is fraudulent access to a user’s account credentials.
Below are some tactics how attackers usually compromise legitimate accounts:

1. Brute-force attacks – The attacker links a username/password combination across many accounts until one yields results. These include so-called” dictionary attacks,” in which attackers use common passwords and dictionary terms to guess passwords.
2. Credential Stuffing – The attacker utilizes the bad habit where people use the same password for multiple accounts. If one of those passwords is leaked in an unrelated data breach, any other account with the same username and password is at risk.
3. Dark Markets – Attackers can download cracked passwords from darknet markets to attempt ATO on the same user accounts on their target site.
4. Phishing – remains an effective way to get a victim’s password. Without controls such as multifactor authentication (MFA), lost credentials can lead to compromised accounts.
5. Malware Attacks – Keyloggers, stealers, and other varieties of malware can expose user credentials, giving attackers control of victims’ accounts.
6. Security Vulnerabilities Exploitation – unpatched security holes are used to gain unauthorized access to a system. For example, Cross-Site Scripting (XSS) and Server Side Request Forgery (SSRF).
7. Social Engineering Attacks – threat actors contact people in person and attempt to extract login
   information.

What is Credential Stuffing?

Credential stuffing is a type of cyber attack that involves repeated attempts to log in to online accounts using usernames and passwords stolen from other online services. It takes advantage of the fact that people often reuse passwords across multiple accounts. Threat actors know that usernames and passwords used on one website may also be used on other websites, and they exploit this weakness by using automated tools to try these credentials on many different websites.

Credential stuffing attacks often require little technical knowledge. Threat actors can use free, easily accessible software that can broadcast hundreds of simultaneous login attempts without any human intervention. A single threat actor can easily send hundreds of thousands or even millions of login attempts to a single web service.

Although most login attempts fail in a credential stuffing attack, due to the sheer number of attempts, a single attack can still result in thousands of accounts being compromised. Threat actors have several ways to monetize these compromised accounts, such as:

• Using a credit card saved by a customer to make fraudulent purchases.
• Stealing and selling gift cards that a customer has saved on an account.
• Using customer details stolen from an account to conduct a phishing attack.
• Simply selling login credentials to someone else on the dark web.

 What Is An Account Takeover?

An account takeover is an identity attack in which attackers gain unauthorized access to customers’ legitimate accounts using a variety of attack vectors, including credential stuffing, phishing, and session hijacking. Once they have access, they can steal something of value, such as sensitive personal information, impersonate the account owner, gain access to funds and/or payment cards, or use the account as an entry point to defraud the owner’s contacts.

Account takeovers are used by threat actors in a variety of ways, including:

• Stealing sensitive personal information
• Impersonating the account owner
• Gaining access to funds and/or payment cards
• Using the account as an entry point to defraud the owner’s contacts

It is important to note that Account Takeover (ATO) fraud is not limited to bank and credit card accounts. Attackers can also use reward cards and services, including points saved on hotel accounts and airline miles. This scam is gaining traction because targeted users rarely check their reward accounts for scams compared to credit cards and bank accounts.

ATOs usually start with credential stuffing attacks. Attackers use scripts that contain potentially thousands of credentials and user accounts to automate these attacks. Revenue generated from a successful advanced attack can reach millions on darknet markets.

The emergence of darknet markets has popularized account takeover attacks. Attackers no longer need to steal directly from targeted users, which reduces personal liability. On the contrary, attackers looking to steal directly from users can simply purchase valid accounts on darknet markets without completing the tedious task of password cracking. The increase in financial accounts and products has also populated the market. Targeted users often have many financial accounts spread across multiple websites, making them attractive to threat actors. More financial accounts and an online presence means an increased attack surface for ATO fraud.

When attackers choose to sell authenticated accounts, they are expecting a high payout for their efforts. The value of just one hacked account depends on the amount of data stolen and the type of account. With potentially thousands of accounts, an attacker could have a hefty payday selling on darknet markets and limit detection compared to directly stealing from victims.

With Compromised Credentials, Time Is Money

The fresher the compromised credentials, the higher the chance threat actors can achieve their financial objective. However, credentials are rarely used by threat actors in “real-time.” Unless the credential is compromised in highly targeted attacks, threat actors require time to analyze the reams of data that they have captured. This process of filtration and extraction enables them to pull out ‘prime’ credentials either to sell on illegal marketplaces or use them for further exploitation. However, the sooner the compromised credentials are detected, the faster security teams can remediate them.
If stolen credential information can be detected very early on, no more than a few days after they have been compromised, the impact of the theft on the business can be massively reduced.

The Impact of Exposed Customer Credentials

Exposed customer credentials may not seem like one of a CISO’s responsibilities, as long as they are not the result of an internal breach. However, they can be very damaging, not only to the business’s brand reputation, but also have financial and even legal implications. Furthermore, it should be kept in mind that users will most likely blame the business for any damage that occurs through exposed credentials and account takeovers, blaming it on the company’s lack of security and fraud-prevention measures.

What Are the Financial Implications of Exposed Customer Credentials?

• Increased Transaction Disputes
• Increased Chargebacks
• High Customer Churn
• Revenue Loss
• Eventually Financial Penalties/Fines
• Chargebacks are expensive for e-commerce websites, especially those using third-party payment gateways. High chargeback rates can lead to increased transaction fees, which can result in significant losses. Therefore, credit card chargeback prevention is essential for any business.

What Are the Reputational Implications of Exposed Customer Credentials?

• Customer Churn
• Financial Penalties/fines
• Reputational Loss with Financial Institutions
• Brand and reputation may suffer, as the company may find itself unfairly accused of a data breach,
  which might lead to negative publicity, fines, and lost business. Furthermore, loss of customers and
  future revenues may occur, as customers whose accounts are taken over lose trust in the brand and
  walk away, creating bad publicity for the company.

How to Identify a Compromised Customer Account

Attacks resulting in exposed customer credentials are often identified by companies after a customer files a claim or complaint. Proper bot and online fraud protection should be the minimum that a business implements on their online assets in order to detect this kind of attack and prevent the exposure of customer credentials and account takeovers. Below are some important signs to detect attack takeovers on the business’s websites:

• IP Addresses from unusual geographic locations – a sudden rise of IP addresses from one or
  more countries outside the usual access locations can be a good indicator of attacks using
  exposed customer credentials. Particular attention should be directed at changes in the access
  location for users with recent account changes.
• Multiple Accounts Share the Same Details – when similar changes to PIIs (email, delivery address,
  etc.) are applied across more than one account, it might be a sign of an account takeover attack.
• Unknown/Obfuscated Device Models – a higher-than-usual ratio of unknown devices, is a
  warning sign.
• Multiple Accounts accessed by the Same Device or IP – often attackers do not spoof or mask
  their device between logging into different accounts, meaning that if they steal and access more
  than one account, they will all be linked to one device. However, this indicator should not be
  considered stand-alone proof, taking into account cases when devices are legitimately shared by
  multiple users.
• Detection of Suspicious VPN Proxies or TOR Usage – or any other use of emulators and virtual
  machines
• Unusual Number of Chargeback Requests
• Mass Login Attempts on one Account
• Mass Password Reset Requests
• Unusually Large Purchases OR Large Transfers