- Table of contents
Darja FeldmanShare on LinkedIn
Dedicated and enthusiastic WEBINT Analyst with four years of experience. Multilingual with extensive research experience in online risk & fraud prevention in FinTech.
Table of contents
Compromised Credentials: Tactics, Risks, Mitigation
The theft of users’ credentials is a growing industry. The market for compromised credentials is vast and has huge potential due to:
- The online availability of cheap malware kits
- The increase in active theft operations around the world
- The increasing sophistication of techniques implemented by threat actors
These factors have created a lucrative market for cybercriminals who are able to steal credentials and sell them on the black market. The stolen credentials can then be used to access personal and financial information, commit identity theft, or launch other cyberattacks.
Almost every website and application uses passwords to authenticate users, who have to deal with an increasing number of online accounts. As the need grows, users tend to reuse the same account-passwords combinations for many of the online services they use.
Unfortunately, the widespread use and reuse of passwords makes them attractive targets for cybercriminals, who know that stolen passwords provide an entry point to other accounts and services.
Each year, billions of compromised credentials appear online, either on the dark web, clear web, paste sites or in data dumps shared by cybercriminals. These credentials are then used by threat actors for account takeover attacks, fraud, and data theft.
While businesses try to protect their own sensitive information from attacks, customer information is stored in vulnerable databases all over the web. This results in identity fraud losses of totaling around $52 billion and affected 42 million U.S. adults in 2022 alone.
The identification of compromised customer accounts, targeted domains, and vulnerable passwords enables organizations to proactively build a better defense against account takeovers and fraudulent activities. Furthermore, the constant identification of customer accounts that have been compromised, provides ongoing fraud monitoring without impacting the user experience.
Collected data can be used to gain insight into which domains are being targeted and what the most vulnerable passwords are. This helps to prioritize risk mitigation strategies and protect the organization’s customers and their own reputation.
Uses of Compromised Credentials
An organization’s customers’ credentials are a valuable commodity in the cybercriminal market for 2 main reasons:
- They are relatively easy and cheap to obtain, requiring little effort from novice threat actors to
get their hands on
- The credentials can be developed and abused in a variety of other fraudulent activities, such as:
- Acquiring Additional PIIs and Data – after entering an account, threat actors can harvest more information, for example, credit cards, phone numbers, addresses, IDs, etc.
- Spam – a legitimate account is a good tool for scams and other deceitful activities.
- Phishing – under the disguise of a legitimate account, threat actors target the account owner’s contacts.
- Ransom Attacks – owners of valuable accounts might be forced to pay ransom to re-access their accounts
- Financial Fraud – accounts with access to financial data and the ability to execute transactions, such as credit cards, withdrawing funds and wiring money, are especially valuable to threat actors. Financial Fraud and Transaction Laundering can be executed with standard currencies, as well as cryptocurrencies, and even loyalty points or gift card credit.
- Promo Abuse – threat actors rely on multi-accounting techniques to gain as many sign-up or
referral bonuses as possible.
- Card Testing – some accounts are only used to make small purchases, or to test credit cards. This helps threat actors to check the validity of stolen credit cards, which can then fuel their criminal buying sprees.
- Acquiring Access to Premium Accounts – especially popular for services with fee/membership-based services, such as Netflix, Spotify, and others Money Laundering or Money Mule Transactions
- Social Media Engagement – compromised accounts are used to run “bot farms” for social media engagement manipulation, such as followers and likes.
Compromised Credentials Tactics and Techniques
The foundation for exposed customer credentials is fraudulent access to a user’s account credentials.
Below are some tactics how attackers usually compromise legitimate accounts:
- Brute-force attacks – The attacker links a username/password combination across many accounts until one yields results. These include so-called” dictionary attacks,” in which attackers use common passwords and dictionary terms to guess passwords.
- Credential Stuffing – The attacker utilizes the bad habit where people use the same password for multiple accounts. If one of those passwords is leaked in an unrelated data breach, any other account with the same username and password is at risk.
- Dark Markets – Attackers can download cracked passwords from darknet markets to attempt ATO on the same user accounts on their target site.
- Phishing – remains an effective way to get a victim’s password. Without controls such as multifactor authentication (MFA), lost credentials can lead to compromised accounts.
- Malware Attacks – Keyloggers, stealers, and other varieties of malware can expose user credentials, giving attackers control of victims’ accounts.
- Security Vulnerabilities Exploitation – unpatched security holes are used to gain unauthorized access to a system. For example, Cross-Site Scripting (XSS) and Server Side Request Forgery (SSRF).
- Social Engineering Attacks – threat actors contact people in person and attempt to extract login
What is Credential Stuffing?
Credential stuffing is a type of cyber attack that involves repeated attempts to log in to online accounts using usernames and passwords stolen from other online services. It takes advantage of the fact that people often reuse passwords across multiple accounts. Threat actors know that usernames and passwords used on one website may also be used on other websites, and they exploit this weakness by using automated tools to try these credentials on many different websites.
Credential stuffing attacks often require little technical knowledge. Threat actors can use free, easily accessible software that can broadcast hundreds of simultaneous login attempts without any human intervention. A single threat actor can easily send hundreds of thousands or even millions of login attempts to a single web service.
Although most login attempts fail in a credential stuffing attack, due to the sheer number of attempts, a single attack can still result in thousands of accounts being compromised. Threat actors have several ways to monetize these compromised accounts, such as:
- Using a credit card saved by a customer to make fraudulent purchases.
- Stealing and selling gift cards that a customer has saved on an account.
- Using customer details stolen from an account to conduct a phishing attack.
- Simply selling login credentials to someone else on the dark web.
What Is An Account Takeover?
An account takeover is an identity attack in which attackers gain unauthorized access to customers’ legitimate accounts using a variety of attack vectors, including credential stuffing, phishing, and session hijacking. Once they have access, they can steal something of value, such as sensitive personal information, impersonate the account owner, gain access to funds and/or payment cards, or use the account as an entry point to defraud the owner’s contacts.
Account takeovers are used by threat actors in a variety of ways, including:
- Stealing sensitive personal information
- Impersonating the account owner
- Gaining access to funds and/or payment cards
- Using the account as an entry point to defraud the owner’s contacts
It is important to note that Account Takeover (ATO) fraud is not limited to bank and credit card accounts. Attackers can also use reward cards and services, including points saved on hotel accounts and airline miles. This scam is gaining traction because targeted users rarely check their reward accounts for scams compared to credit cards and bank accounts.
ATOs usually start with credential stuffing attacks. Attackers use scripts that contain potentially thousands of credentials and user accounts to automate these attacks. Revenue generated from a successful advanced attack can reach millions on darknet markets.
The emergence of darknet markets has popularized account takeover attacks. Attackers no longer need to steal directly from targeted users, which reduces personal liability. On the contrary, attackers looking to steal directly from users can simply purchase valid accounts on darknet markets without completing the tedious task of password cracking. The increase in financial accounts and products has also populated the market. Targeted users often have many financial accounts spread across multiple websites, making them attractive to threat actors. More financial accounts and an online presence means an increased attack surface for ATO fraud.
When attackers choose to sell authenticated accounts, they are expecting a high payout for their efforts. The value of just one hacked account depends on the amount of data stolen and the type of account. With potentially thousands of accounts, an attacker could have a hefty payday selling on darknet markets and limit detection compared to directly stealing from victims.
With Compromised Credentials, Time Is Money
The fresher the compromised credentials, the higher the chance threat actors can achieve their financial objective. However, credentials are rarely used by threat actors in “real-time.” Unless the credential is compromised in highly targeted attacks, threat actors require time to analyze the reams of data that they have captured. This process of filtration and extraction enables them to pull out ‘prime’ credentials either to sell on illegal marketplaces or use them for further exploitation. However, the sooner the compromised credentials are detected, the faster security teams can remediate them.
If stolen credential information can be detected very early on, no more than a few days after they have been compromised, the impact of the theft on the business can be massively reduced.
The Impact of Exposed Customer Credentials
Exposed customer credentials may not seem like one of a CISO’s responsibilities, as long as they are not the result of an internal breach. However, they can be very damaging, not only to the business’s brand reputation, but also have financial and even legal implications. Furthermore, it should be kept in mind that users will most likely blame the business for any damage that occurs through exposed credentials and account takeovers, blaming it on the company’s lack of security and fraud-prevention measures.
What Are the Financial Implications of Exposed Customer Credentials?
- Increased Transaction Disputes
- Increased Chargebacks
- High Customer Churn
- Revenue Loss
- Eventually Financial Penalties/Fines
- Chargebacks are expensive for e-commerce websites, especially those using third-party payment gateways. High chargeback rates can lead to increased transaction fees, which can result in significant losses. Therefore, credit card chargeback prevention is essential for any business.
What Are the Reputational Implications of Exposed Customer Credentials?
- Customer Churn
- Financial Penalties/fines
- Reputational Loss with Financial Institutions
- Brand and reputation may suffer, as the company may find itself unfairly accused of a data breach,
which might lead to negative publicity, fines, and lost business. Furthermore, loss of customers and
future revenues may occur, as customers whose accounts are taken over lose trust in the brand and
walk away, creating bad publicity for the company.
How to Identify a Compromised Customer Account
Attacks resulting in exposed customer credentials are often identified by companies after a customer files a claim or complaint. Proper bot and online fraud protection should be the minimum that a business implements on their online assets in order to detect this kind of attack and prevent the exposure of customer credentials and account takeovers. Below are some important signs to detect attack takeovers on the business’s websites:
- IP Addresses from unusual geographic locations – a sudden rise of IP addresses from one or
more countries outside the usual access locations can be a good indicator of attacks using
exposed customer credentials. Particular attention should be directed at changes in the access
location for users with recent account changes.
- Multiple Accounts Share the Same Details – when similar changes to PIIs (email, delivery address,
etc.) are applied across more than one account, it might be a sign of an account takeover attack.
- Unknown/Obfuscated Device Models – a higher-than-usual ratio of unknown devices, is a
- Multiple Accounts accessed by the Same Device or IP – often attackers do not spoof or mask
their device between logging into different accounts, meaning that if they steal and access more
than one account, they will all be linked to one device. However, this indicator should not be
considered stand-alone proof, taking into account cases when devices are legitimately shared by
- Detection of Suspicious VPN Proxies or TOR Usage – or any other use of emulators and virtual
- Unusual Number of Chargeback Requests
- Mass Login Attempts on one Account
- Mass Password Reset Requests
- Unusually Large Purchases OR Large Transfers
Recommendations to Prevent Compromised Customer Credentials
Compromised Customer credentials are so prevalent that most businesses cannot avoid them. Therefore, any company that maintains online accounts for its customers should have a data security plan that includes strong safeguards to protect customers.
Furthermore, account takeovers involving compromised customer credentials are difficult to detect because they rely on social engineering techniques: threat actors may impersonate the victim or use other methods to trick the account holder into giving them their login information. Account owners often do not realize that their account has been compromised until it’s too late.
Like with everything else, organizations should look to a holistic approach when it comes to their cyber-defense, as there is no single measure or technology that can achieve total coverage. Even the Multifactor Authentication can be bypassed.
Smart Password Use is essential – password reuse should be avoided at all costs, and a strong
password policy should be in place to reduce the risk of easy-to-guess passwords. Multifactor Authentication (MFA) should be set up as a threat actor is less likely to have access to more than one factor of the authentication process. More information about this topic can be found in Cyberint’s report “Cookie O’clock.”
It is highly recommended to put in place different complementary solutions to minimize both risk and impact. Companies should also consider how strong their defense mechanisms are in all threat stages: before, during and after an attack.
Furthermore, it is important to note that the effectiveness of the recommendations mentioned above will likely change over time as threat actors adopt new tactics and techniques. Businesses should regularly evaluate the effectiveness of their own controls and implement new adequate strategies.
Education is key to mitigating attacks. It’s in the interest of both parties, companies, and customers, to know how to identify potentially malicious activity. The ability to recognize when credentials might be compromised can save a huge amount of pain and financial loss.
Immediate Steps to Take When Compromised Customer Credentials Are Found
- Freeze the Compromised Account – to prevent the threat actor from performing any fraudulent
activities on the compromised account
- Freeze/Cancel all ongoing transactions – ask for verification from the legitimate account owner
- Force a password reset
- Inform the legitimate account owner
Continuous cyber-hygiene can help prevent attacks, as well as mitigate their impact if and when one happens. Threat actors are constantly testing new ways to exploit the company’s and customer’s infrastructure, so remaining static when it comes to security protocols is a sure way to get breached.
How to Defend Against Compromised Credential Attacks
How to Prevent Credential Stuffing Attacks
- Bot Detection
- Multifactor Authentication
- Prevent Reuse of Compromised Passwords
- Monitor customer activity
- Monitor customer fraud reports
How to Prevent Fraud & Misuse of Customer Information
- Use Threat Intelligence and third-party fraud detection (get a demo here)
- Re-authenticate at the time of purchase
- Prevent Gift Card Theft
- Respond to credential-stuffing events by notifying customers and investigating and remediating the incidents.
How to Prevent Account Takeover Attacks
Users and website owners should take basic precautions to prevent ATO attacks:
- Users should always read emails from financial institutions and call customer service
immediately after receiving suspicious alerts.
- Educating customers on:
- The dangers and warning signs of phishing
- Investigating links in emails before clicking
- Smart Password Use
- Deployment of MFA
- Set a limit on login attempts
- Configuring the fraud detection systems to display a CAPTCHA after a specific number of
- Send notifications of any account changes to customers
Vulnerabilities keep on coming in different shapes and forms and it is impossible to patch them all, including compromised credentials overnight. To protect the organization, you first need to focus on those vulnerabilities that mater the most. Now with Argos, known and unknown vulnerabilities are automatically correlated between your digital assets to your attack surface, highlighting those imminent threats that must be handled with utmost urgency.