![Compromised Credentials: Tactics, Risks, Mitigation](https://cyberint.com/wp-content/uploads/2023/05/Shai-Yatzik-CFO-6.png)
![Compromised Credentials: Tactics, Risks, Mitigation](https://cyberint.com/wp-content/uploads/2023/05/Shai-Yatzik-CFO-6.png)
Dedicated and enthusiastic WEBINT Analyst with four years of experience. Multilingual with extensive research experience in online risk & fraud prevention in FinTech.
The theft of users’ credentials is a growing industry. The market for compromised credentials is vast and has huge potential due to:
These factors have created a lucrative market for cybercriminals who are able to steal credentials and sell them on the black market. The stolen credentials can then be used to access personal and financial information, commit identity theft, or launch other cyberattacks.
Almost every website and application uses passwords to authenticate users, who have to deal with an increasing number of online accounts. As the need grows, users tend to reuse the same account-passwords combinations for many of the online services they use.
Unfortunately, the widespread use and reuse of passwords makes them attractive targets for cybercriminals, who know that stolen passwords provide an entry point to other accounts and services.
Each year, billions of compromised credentials appear online, either on the dark web, clear web, paste sites or in data dumps shared by cybercriminals. These credentials are then used by threat actors for account takeover attacks, fraud, and data theft.
While businesses try to protect their own sensitive information from attacks, customer information is stored in vulnerable databases all over the web. This results in identity fraud losses of totaling around $52 billion and affected 42 million U.S. adults in 2022 alone.
The identification of compromised customer accounts, targeted domains, and vulnerable passwords enables organizations to proactively build a better defense against account takeovers and fraudulent activities. Furthermore, the constant identification of customer accounts that have been compromised, provides ongoing fraud monitoring without impacting the user experience.
Collected data can be used to gain insight into which domains are being targeted and what the most vulnerable passwords are. This helps to prioritize risk mitigation strategies and protect the organization’s customers and their own reputation.
An organization’s customers’ credentials are a valuable commodity in the cybercriminal market for 2 main reasons:
The foundation for exposed customer credentials is fraudulent access to a user’s account credentials.
Below are some tactics how attackers usually compromise legitimate accounts:
Credential stuffing is a type of cyber attack that involves repeated attempts to log in to online accounts using usernames and passwords stolen from other online services. It takes advantage of the fact that people often reuse passwords across multiple accounts. Threat actors know that usernames and passwords used on one website may also be used on other websites, and they exploit this weakness by using automated tools to try these credentials on many different websites.
Credential stuffing attacks often require little technical knowledge. Threat actors can use free, easily accessible software that can broadcast hundreds of simultaneous login attempts without any human intervention. A single threat actor can easily send hundreds of thousands or even millions of login attempts to a single web service.
Although most login attempts fail in a credential stuffing attack, due to the sheer number of attempts, a single attack can still result in thousands of accounts being compromised. Threat actors have several ways to monetize these compromised accounts, such as:
An account takeover is an identity attack in which attackers gain unauthorized access to customers’ legitimate accounts using a variety of attack vectors, including credential stuffing, phishing, and session hijacking. Once they have access, they can steal something of value, such as sensitive personal information, impersonate the account owner, gain access to funds and/or payment cards, or use the account as an entry point to defraud the owner’s contacts.
Account takeovers are used by threat actors in a variety of ways, including:
It is important to note that Account Takeover (ATO) fraud is not limited to bank and credit card accounts. Attackers can also use reward cards and services, including points saved on hotel accounts and airline miles. This scam is gaining traction because targeted users rarely check their reward accounts for scams compared to credit cards and bank accounts.
ATOs usually start with credential stuffing attacks. Attackers use scripts that contain potentially thousands of credentials and user accounts to automate these attacks. Revenue generated from a successful advanced attack can reach millions on darknet markets.
The emergence of darknet markets has popularized account takeover attacks. Attackers no longer need to steal directly from targeted users, which reduces personal liability. On the contrary, attackers looking to steal directly from users can simply purchase valid accounts on darknet markets without completing the tedious task of password cracking. The increase in financial accounts and products has also populated the market. Targeted users often have many financial accounts spread across multiple websites, making them attractive to threat actors. More financial accounts and an online presence means an increased attack surface for ATO fraud.
When attackers choose to sell authenticated accounts, they are expecting a high payout for their efforts. The value of just one hacked account depends on the amount of data stolen and the type of account. With potentially thousands of accounts, an attacker could have a hefty payday selling on darknet markets and limit detection compared to directly stealing from victims.
The fresher the compromised credentials, the higher the chance threat actors can achieve their financial objective. However, credentials are rarely used by threat actors in “real-time.” Unless the credential is compromised in highly targeted attacks, threat actors require time to analyze the reams of data that they have captured. This process of filtration and extraction enables them to pull out ‘prime’ credentials either to sell on illegal marketplaces or use them for further exploitation. However, the sooner the compromised credentials are detected, the faster security teams can remediate them.
If stolen credential information can be detected very early on, no more than a few days after they have been compromised, the impact of the theft on the business can be massively reduced.
Exposed customer credentials may not seem like one of a CISO’s responsibilities, as long as they are not the result of an internal breach. However, they can be very damaging, not only to the business’s brand reputation, but also have financial and even legal implications. Furthermore, it should be kept in mind that users will most likely blame the business for any damage that occurs through exposed credentials and account takeovers, blaming it on the company’s lack of security and fraud-prevention measures.
Attacks resulting in exposed customer credentials are often identified by companies after a customer files a claim or complaint. Proper bot and online fraud protection should be the minimum that a business implements on their online assets in order to detect this kind of attack and prevent the exposure of customer credentials and account takeovers. Below are some important signs to detect attack takeovers on the business’s websites:
Compromised Customer credentials are so prevalent that most businesses cannot avoid them. Therefore, any company that maintains online accounts for its customers should have a data security plan that includes strong safeguards to protect customers.
Furthermore, account takeovers involving compromised customer credentials are difficult to detect because they rely on social engineering techniques: threat actors may impersonate the victim or use other methods to trick the account holder into giving them their login information. Account owners often do not realize that their account has been compromised until it’s too late.
Like with everything else, organizations should look to a holistic approach when it comes to their cyber-defense, as there is no single measure or technology that can achieve total coverage. Even the Multifactor Authentication can be bypassed.
Smart Password Use is essential – password reuse should be avoided at all costs, and a strong
password policy should be in place to reduce the risk of easy-to-guess passwords. Multifactor Authentication (MFA) should be set up as a threat actor is less likely to have access to more than one factor of the authentication process. More information about this topic can be found in Cyberint’s report “Cookie O’clock.”
It is highly recommended to put in place different complementary solutions to minimize both risk and impact. Companies should also consider how strong their defense mechanisms are in all threat stages: before, during and after an attack.
Furthermore, it is important to note that the effectiveness of the recommendations mentioned above will likely change over time as threat actors adopt new tactics and techniques. Businesses should regularly evaluate the effectiveness of their own controls and implement new adequate strategies.
Education is key to mitigating attacks. It’s in the interest of both parties, companies, and customers, to know how to identify potentially malicious activity. The ability to recognize when credentials might be compromised can save a huge amount of pain and financial loss.
Continuous cyber-hygiene can help prevent attacks, as well as mitigate their impact if and when one happens. Threat actors are constantly testing new ways to exploit the company’s and customer’s infrastructure, so remaining static when it comes to security protocols is a sure way to get breached.
Users and website owners should take basic precautions to prevent ATO attacks:
Vulnerabilities keep on coming in different shapes and forms and it is impossible to patch them all, including compromised credentials overnight. To protect the organization, you first need to focus on those vulnerabilities that mater the most. Now with Argos, known and unknown vulnerabilities are automatically correlated between your digital assets to your attack surface, highlighting those imminent threats that must be handled with utmost urgency.
Fill in your business email to start