Be it personal or professional, it's now an ordinary fact of life that people own dozens of different online accounts. From the essential to the mundane, every facet of our lives can be linked to a service that's probably tethered to its users by an account name and password.
For cybercriminals, those account names and passwords -- commonly referred to as credentials -- serve as the keys to an endless amount of kingdoms. Credentials are a core enabler of cybercriminals' ability to establish and perpetuate their operations; without a foot in the door, they would have to work remarkably harder to successfully carry out their crimes. At Intel 471, we've observed how cybercriminals use stolen credentials as a way to make money or use them in attacks where monetization occurs further downstream. It's a pattern of behavior that is a hallmark of the underground.
The use of compromised or stolen credentials to seize legitimate accounts, also known as account takeovers, is fueled by two distinct actions: credential harvesting and use of specific software tools that ultimately hijack accounts. Credential harvesting is most likely done through the use of information stealers, malware that skims for username and password information by injecting scripts into common web tools used on retail and other e-commerce platforms. Information stealers also allow for social engineering through phishing attacks that contain malicious files or links. Additionally, actors in the underground have created account-checking and brute-force tools that give all levels of criminals the ability to crack open accounts in all corners of the internet. Actors will also share various configurations of the brute-force tools that specifically target all types of services, including e-commerce payment platforms, online banking, social media and others.
How the criminals make their money
Actors who use account takeovers as a way to make money have several different ways to cash out on their ill-gotten gains. Intel 471 has observed four distinct methods that are popular on the cybercrime underground: online banking fraud, fraudulent travel services, gift card fraud, and credential marketplaces. Our team has tracked a multitude of instances for each of these methods, including:
Two actors who abused account credentials of a U.S.-based, online-only banking service using stolen cardholder data, but tied accounts to their own email addresses and Google Voice accounts. Funds were withdrawn from accounts once microdeposits were made to get around fraud detections.
Another actor advertised several mail-accessed travel rewards accounts of an international hotel chain for sale. The actor offered to sell the accounts, transfer points to other accounts and make hotel bookings on the buyer’s behalf. From there, buyers could book car rentals, flights and hotels at substantially discounted rates.
An actor allegedly collected 160,000 compromised accounts from a well-known U.S.-based bank using a custom account-checking tool, then sold them on forums or cashing them out by trading gift cards through undisclosed online shops. Most of the accounts purportedly were protected with two-factor authentication (2FA), so if a buyer could not use of them directly, the actor suggested using the same email address and password combination list to attack accounts at other banks Therefore, not only did the actor attempt to complete the account takeover cycle via monetization through gift cards, they restarted the cycle by selling the account credentials and advising others to use them to attack additional associated accounts.
An underground marketplace, named Genesis store, that allows actors to purchase compromised account credentials with victim device cookies and fingerprints to gain access to different website user accounts. The combined use of varying information allegedly provides an attacker the ability to bypass anti-fraud detection in several industries and appear as a legitimate login from a victim machine. While more experienced actors may opt to use other methods, the Genesis Store opened up a space for unskilled actors to participate in ATO activity with its user-friendly interface and clear instructions on how to use the site via the Genesis wiki page.
While credentials tied to accounts that directly hold monetary value will always be worth something in the cybercriminal underground, the interest in credentials tied to back-end interfaces that control websites, cloud instances, or other business-essential services is an extremely sought-after and lucrative commodity.
Intel 471 has seen a vast amount of activity around this type of transaction. Some of the instances we've observed, including:
A newcomer to a very popular cybercrime forum attempting to make a name of themselves by claiming to possess hundreds of stolen credentials consisting of passwords, URLs and usernames that could be used to gain unauthorized access to the web control panel (cPanel) and web host manager (WHM) of the victims’ websites. The actor sought between US $3 and US $5 for one domain access, but claimed to offer substantial discounts if a large set was purchased.
A Russian-linked actor joined a popular cybercrime forum in June 2020 and quickly became a prolific credential vendor by the end of the year. His stock has risen due to selling access to Citrix and other virtual private networks, as well as corporate networks with other entry points. The actor allegedly purchased logs across underground forums and directly from malware log vendors, validated the account credentials and subsequently sold them on the forums. By January 2021, the actor offered to sell about 400 compromised Citrix, RDWeb and VPN accounts, with the majority of compromised accounts belonging to educational entities.
An actor on a China-linked cybercrime forum advertised 1,000 hacked cPanel host servers and claiming full access to the servers was guaranteed. The actor’s inventory at the time of the post, which was written in October 2020, included many batches of data from businesses based in Europe, Hong Kong, Japan, Taiwan and the U.S. Despite the steep prices listed, we observed the actor made some sales from the offers.
What happens next
As Intel 471 has stated before, a key cog in the cybercriminal underground is the interdependency between those who specialize in selling credentials and those looking to launch ransomware attacks. The astronomical growth in ransom payments in 2020 has helped access merchants put a premium on their services. In years past, a large ransom payout would earn attackers somewhere between five- and six-figure sums. Now, it's becoming increasingly common for attackers to demand seven- and eight-figure ransoms, partly due to the need to pay off actors that have helped them obtain access to the victim's system.
Instances show that anywhere from one week to six months after access is obtained and advertised, other known actors on various underground forums look to use or purchase that access to launch ransomware attacks. The targets run the gamut of regions and economic sectors, with the pattern playing out in ransomware attacks on every continent.
In January, Intel 471 observed an actor on a popular cybercrime forum looking to cooperate with network access brokers, offering a 20 percent cut from each successful ransomware attack. The actor allegedly preferred targeting entities based in Australia, Canada and the U.S. with an annual revenue of at least US $150 million. Once given credentials, the actor conducts multistage network attacks that include reconnaissance, privilege escalation, moving laterally, exfiltrating data and deploying ransomware.
Protecting your credentials
Compromised credentials are a massive problem that often extends conversations about security beyond the posture of third-party vendors. With Intel 471's Credential Intelligence feature, It's now possible to gain coverage over this aspect of the cybercrime underground.
You can now monitor the credentials that are most important to your organization including those tied to your suppliers or vendors. With credential intelligence built into the Titan platform, your organization can now mitigate the risk of compromised credentials and proactively monitor for newly compromised credentials.