The password has always been an attractive target to the Cyberattacker. But given today’s Cybersecurity threat landscape, Cyberattackers are after much more than passwords alone. For example, they not only want to know more about you; they want to come after you and literally take everything that identifies you. It can be difficult to realize you are a victim until it is too late.
One of the biggest reasons for this is that Cyberattackers take their time to locate and research unsuspecting victims. For example, they are not interested in finding targets en masse; rather, they are interested in selecting just a few potential victims and finding their weakest spots. Then, once they penetrate the target’s identity, the goal is to stay in as long as possible and steal as much as they can in small bits, going unnoticed all the while.
Three Types of Credential Theft
There are three types of credential theft:
- Against the individual: This when a particular individual or even a group of individuals are selectively targeted. The attack vectors may not be very sophisticated in nature. For example, Phishing based emails are still the favored weapon of choice. Despite all the publicity and notoriety that Phishing gets, people still fall for phishing schemes. It can come in one of two ways:
- The victim can be duped into clicking on a malicious link. Typically, the link that is in the body of the email message is different than when you hover your mouse pointer over it. But even this has changed. The two links now appear to be almost the same, thus tricking even a savvy victim. The victim is then directed to a spoofed website that looks so legitimate and authentic that it is almost impossible to tell that it is actually a fake one. From here, the victim then enters their username and password, and the havoc begins.
- The victim can also be duped into downloading a malicious document. The most favored file extensions used here are .DOC, . XLS, . PPT, and .PDF. Once any of these attachments are downloaded and opened, the malware spreads into the victim’s device in an attempt to steal as many credentials as possible. An excellent example of this is keylogging malware. The keystrokes are recorded and covertly sent back to the Cyberattacker, in an effort to ascertain all of the credentials that the victim uses. This approach has become rather sophisticated, as the hijacking of the victim’s contact list is now common, making it look like a Phishing email has been sent by a person that the victim knows well.
- Against the business: This is technically known as “Corporate Credential Theft.” In these cases, the Cyberattacker has much more at their disposal to harvest as many credentials from victims as they can. For example, in their digital marketing efforts, many companies use Social Media such as Facebook, LinkedIn, and Twitter. Although their communications may be careful in what they post about their company, the Cyberattacker can still glean quite a bit from it. Over time, they can see which employees post material regularly, and the timeframes in which they do so. From there, the Cyberattacker can narrow down their list to a few potential victims and study them even more carefully through their social media activity. In other words, the Cyberattacker is building up a victim’s profile, to be used to determine their vulnerabilities, even with publicly available information.
A commonly used threat vector is the Business Email Compromise (BEC). This is where an email is sent, or a Social Engineering-based phone call is made, purporting to be the CEO and asking his or her administrative assistant to wire a large sum of money to a bank account, which, of course, is located offshore. Once the money has been transferred and the mistake has been discovered, it is very difficult to get the money back or even trace down who launched the attack vector.
- Credential Abuse: This is the ultimate goal of any compromised credential attack. Once all the credentials have been fully harvested, the Cyberattacker will then use them for credit card theft/fraud, hijacking funds from financial accounts, and even worse, launching long-term Identity Theft attacks. Two new trends are occurring in this regard:
- The Dark Web: The Cyberattacker can sell the stolen credentials for a rather nice profit.
- Lateral Movement: In this instance, the Cyberattacker will use the hijacked credentials to infiltrate the network infrastructure of a business, and from there, move in deeper in a “sideways” fashion in search of even higher-value targets, such as those of Intellectual Property (IP) and other mission-critical digital assets. The time that the Cyberattacker resides inside is often referred to as the “Dwell Time.” They have become so sophisticated that their Dwell Time can last for weeks and even months without detection.
How To Prevent Compromised Credential Attacks
Compromised credential attacks are a serious problem. According to the Verizon 2020 Data Breach Investigations Report (DBIR), over 80% of hacking attacks that take place use heisted or stolen credentials. And at least 77% of all Cloud security breaches also involve the use of hijacked credentials. (Sources 1 and 2).
Ultimately, the best line of defense that you can use is probably what is known as the “Zero Trust Framework.” This methodology stipulates that you cannot, under any circumstance, trust anybody internal or external to your company when it comes to accessing shared resources. Anyone wishing to have this kind of access must be authenticated through at least three layers of authentication at each line of defense.
Ravi Das is a Cybersecurity Consultant and Business Development Specialist. He also does Cybersecurity Consulting through his private practice, RaviDas Tech, Inc. He also possesses the Certified in Cybersecurity (CC) cert from the ISC2.