How To Stop the Credential Theft Problem: A Comprehensive Approach

essidsolutions

A recent study estimates that businesses worldwide lose more than $400 million per month to phishing. The article by Vytautas Kaziukonis, founder and the CEO of SurfShark digs deeper into the business of credential theft and analyzes what information most frequently appears in online databases.

Credential theft and social engineering are booming, while the current trend costs companies billions of dollars every year. If we ever hope to stop cybercriminals from thriving, we need to understand how they work. 

By knowing the fundamentals of their game, we can identify the choke points in their strategy and focus on preventative actions rather than reactive ones. Let’s take a look at how the credential theft business works to understand how we can defend against it.

Gathering the Credentials

All credential theft Opens a new window operations begin by gathering people’s information, and sometimes this means getting the data straight from the source.

A more technical approach to acquiring credentials is exploiting vulnerable system defenses, guessing or brute-forcing weak passwords, hijacking a domain’s DNS, or performing “Man-in-the-middle attacks.” However, such attacks often require both know-hows and resources. And honestly, would you waste your time with technical grit when you could easily persuade people to share their credentials with you?

That’s hardly hyperbolizing. A cyberattack of ten phishing emails with a single malware-ridden URL has a 90% chance to infect someone and potentially steal their information. Only one question remains then,just how easy is it to send ten emails? As easy as it is to send ten thousand using any newsletter software or website.

The staggering popularity of social engineering in the credential theft business begins to make sense. Banking on the “human factor” security hole is the cheapest way to fish for credentials and requires comparatively little effort to cash out. 

Processing Data Into Profit

Once the credentials are gathered, it is time to process them. Depending on the data type stolen, attackers extract and filter it before collecting the information into email or specialized databases. When stored inside the database, cybercriminals can mine and query this data for familiar companies or people’s names. Depending on how old the stolen data is, attackers might need to validate these credentials before using them.

Bots and account checker software are the most common ways to process large amounts of login information. 

Attackers can also do this step manually, especially if they stole small pieces of data through targeted spear-phishing attacks.

If the credentials are legitimate, then comes the final part of turning this data into profit. This can be done in two ways, either using the credentials to attack organizations directly and try to steal or extort money from them or selling this information on the dark web.

Learn more: How to Fight Cryptojacking Attacks With Machine Learning

What Information Lurks Below the Web’s Surface

To illustrate a fraction of how much data leaks online, we’ll use information gathered by a data breach detection tool Surfshark Alert. 

Among all recorded leaks, the online database has indexed 61 different data point categories in total. Here are just a few of them from the list: credentials, employment and financial information, hair color, mother’s maiden name, and many more.

In total, the online database has recorded nearly 7 billion (6,828,634,652) leaked data points, and this number grows every day. 22% of these are email addresses, and 15.1% are plain text and hashed passwords.

To say that it’s easy to get a hold of someone’s credentials would be an understatement. Overall, the dark web alone is estimated to hold at least 15 billion Opens a new window stolen logins, out of which 5 billion are said to be unique. And if you get a hold of someone’s one personal password, chances are you got a hold of most, if not all, of their passwords.

Personal Information Leaks That Cost Organizations Millions

Cybercriminals know that people usually cannot be bothered to have several passwords for each different site or service. Most re-use the same credentials for access to both their work and personal resources. 

This way, information gained from a single work-unrelated data breach caused by a phishing attack can potentially give a cybercriminal admin access to an entire organization. Either manually or using software, attackers can use leaked personal credentials and validate them against the person’s workplace system. Other times, it’s as simple as buying already sifted and verified stolen logins that someone has already phished. These credentials usually go from $1 to $100 each on the dark web but can potentially yield hundreds of thousands if not millions of dollars. 

On the other end of this are the companies. Including hidden costs, the average loss of a data breach was $3.86 millionOpens a new window in 2020. Aside from inflated financial expenses, these data breaches can also negatively impact a company’s reputation and brand image for years to come. And to a degree, that can be avoided.

Learn More: The Current State of MFA and Why You Might Not Be As Protected As You Think 

Identifying the Choke Points in Credential Theft

If we examine the entire credential theft process, we can identify four primary stages: gathering, extraction, validation, and use. 

Here’s the crux of it: there’s not much you can do besides changing your passwords if someone steals your credentials. And most of the time, you won’t even know that it even happened.

Attackers can gather credentials in many different ways, but social engineering and phishing are by far the most effective. That’s why most security officers agree that to avoid the damage caused by credential theft it’s best to put practices in place that will: 

  1. Prevent credentials from being cracked or stolen (Social engineering training, password managers).
  2. Minimize the damage stolen credentials can cause (Multi-factor authentication (MFA), limited system access).

Credential theft prevention can be mostly achieved through social engineering awareness and due diligence training to spot and avoid phishing attempts. Also, password managers protected by a unique password are another great solution to this problem.

On the other hand, if an attacker gets a hold of an employee’s password, then multi-factor authentication (MFA) can prevent him from bypassing the company’s defenses. But if all prevention fails, it’s best not to have a single person with full system access to minimize the potential damage.

Implemented diligently, these practices can help anyone make sure their credentials don’t get stolen and end up with a price tag on the dark web. The human factor and awareness training are especially important here because of how prevalent phishing has been in the past years. By narrowing down on credential theft business choke points we can stop the chain reaction caused by data breaches and at least minimize massive financial losses companies face every year around the world.

Which other ways can businesses defend credential theft?  Share your thoughts with us on LinkedInOpens a new window , TwitterOpens a new window , or FacebookOpens a new window . We would love to hear from you!

Contact ESSID Solutions

    By clicking Send Message, you agree to our Terms of Use and Privacy Policy.

    Reach out to us for a free consultation on big data consultancy and development services.

    Contact

    Rua Alexandre de Sa Pinto 143
    1300-034 Lisbon
    Portugal

    [email protected] +351927159955
    Privacy Policy Terms of Service Refund and Returns Policy

    © 2024 ESSID SOLUTIONS LDA