Cybercriminals are compromising computer networks at a greater scale than ever before. The growth of cybercrime is attributable to the availability of services and digital goods offered by cybercriminals to other cybercriminals. In the legitimate economy, this relationship is known as business-to-business commerce. In the illicit economy, it’s known as cybercrime-as-a-service. The availability of these services allows fraudsters to focus on their specialty, whether that be ransomware, credit card fraud, ID theft and more. One of the most popular if not the most popular digital goods are stolen login credentials. Unauthorized access to accounts and systems is nearly a universal trait of unlawful online activity.
Credentials are stolen in various ways, including phishing schemes, malware, social engineering and brute-force attacks. Because reusing login credentials is one of the easiest ways to compromise an organization, credentials have become one of the most sought-after products in the cybercrime-as-a-service economy. Defenses against replaying login credentials include more sophisticated monitoring of access using zero-trust principles and employing multi-factor authentication (MFA). Stronger authentication methods are also gaining in popularity due to specifications developed by the FIDO Alliance. Authentication, however, remains a weak point for organizations and a key enabler of data breaches.
Actors who sell credentials are known as initial access brokers (IABs); they sell access to fraudsters, ransomware gang affiliates and even state-sponsored actors. Sales of login credentials occur in underground forums, over Telegram and privately. Cybercriminals acquire login credentials and then reuse those credentials, gaining a foothold in the systems and allowing them to pivot deeper.
The scale is prolific. Since the start of 2023, Intel 471 has observed more than 2,000 organizations that may have been affected by credential theft in 55 industries. At least 168 different IABs have been observed. Some of the most common types of credentials sold on underground markets include those for VPN and Remote Desktop Protocol software.
Intel 471 continually collects and analyses compromised credentials from the cyber underground as part of our platform’s Credential Intelligence module. The sources for credentials are varied. Credentials are sometimes openly shared by threat actors. Direct engagement with threat actors can elicit credential data. And attackers may mistakenly reveal data due to infrastructure misconfigurations.
Other types of data sets include information-stealer logs. Also known as infostealers, this type of malware is pervasively spread via methods including malicious emails (malspam), SEO poisoning and fake websites hosting trojanized versions of popular software. Infostealer malware is like an ocean fishing trawler. Once a computer is infected, the infostealer collects stored browser data, including everything from login credentials to session tokens to cryptocurrency wallet data.
This data is then packaged up into “logs” which are then often sold in bulk. These logs can be of interest to ransomware actors and other more advanced threat actors, as enterprise login credentials may be captured from home computers that have been inadvertently infected with an infostealer.
Other sources of credentials include database dumps released by threat actors and so-called “combo lists,” which are massive lists of login credentials that have been cobbled together from multiple sources. Because the advertisement and sale of access and access credentials occurs prior to an intrusion, there’s an opportunity to collect threat intelligence that can help organizations potentially avert a breach. In 2022, Intel 471 observed that it took an average of 79 days between when credentials were stolen from an organization, put up for sale on a forum, sold and then used by a ransomware affiliate. However, this span of time can be much shorter. If an organization can learn that an initial access broker is selling credentials, the affected user account can be reset. If the sale of access credentials reveals signs of a deeper compromise, an organization can launch incident response.
Using our platform, customers can monitor for credentials belonging to their employees and customers, allowing them to proactively mitigate the risks. It can also help organizations spot and manage third-party risk by monitoring their suppliers.
Use cases
The Credential Intelligence module can be leveraged for several use cases. This includes receiving alerts when employee or customer credentials are compromised, if partners or third-party suppliers are affected and specifically monitoring for high-risk and/or VIP individuals within an organization. These alerts can serve as guidance for taking action before harvested credentials are used by threat actors to steal data, launch ransomware or undertake other malicious actions.
Monitor for employee credentials: This allows for alerting when credential sets belonging to employees have been identified in infostealer logs, combo lists, data breaches and more. Intel 471 subscribers can add specific domains to monitor.
Monitor for customer credentials: In this scenario, Intel 471 is monitoring for the use of compromised credentials related to an organization’s customers. It’s possible to monitor by domain for credentials belonging to customers. In some scenarios, it’s possible to monitor if those compromised customer credentials are used to log into a particular domain monitored by Intel 471.
Monitor for key third-party supplier credentials: This type of monitoring alerts about compromised credentials related to any third-party relationships such as vendors and suppliers. This is intended to quickly identify possible risk. The provided details associated with these compromised credentials are partially obfuscated, however, enough detail is retained to allow taking action on them. Monitoring third parties is an add-on service for Credential Intelligence. The details associated with compromised credentials are partially obfuscated, but enough is retained to allow taking meaningful action.
Monitor VIP credentials: VIP emails are full email addresses of high-ranking or high-risk individuals that Intel 471 will monitor. These can be corporate or private email addresses. Users are alerted if the email addresses appear in a data set.
Final Thoughts
Cybercriminals have refined malware and credential harvesting into practically industrial operations, and the scale is staggering. But as shown in this post, gathering credential data and analyzing it can result in meaningful insights that allow for pre-emptive action to avoid a data breach or ransomware attack.
