Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Identity & Access

The Foundation of Cyber-Attacks: Credential Harvesting

Recent reports of a newly detected Smoke Loader infection campaign and the re-emergence of Magecart-based cyber-attacks illustrate a common tactic used by cyber criminals and state-sponsored attackers alike ― credential harvesting. According to the Verizon 2017 Data Breach Investigation Report, 81% of hacking-related breaches leverage either stolen, default, or weak credentials.

Recent reports of a newly detected Smoke Loader infection campaign and the re-emergence of Magecart-based cyber-attacks illustrate a common tactic used by cyber criminals and state-sponsored attackers alike ― credential harvesting. According to the Verizon 2017 Data Breach Investigation Report, 81% of hacking-related breaches leverage either stolen, default, or weak credentials. While credential harvesting is often seen as equivalent to phishing, it uses different tactics.

Cyber attackers long ago figured out that the easiest way for them to gain access to sensitive data is by compromising an end user’s identity and credentials. Betting on the human factor and attacking the weakest link in the cyber defense chain, credential harvesting has become the foundation of most cyber-attacks. 

While credential harvesting is widely used by attackers – what they do with the stolen information can vary greatly. In some cases, the credentials will be used for subsequent attacks where the goal is to gain access to systems or network resources, or they can be monetized by taking over bank accounts or simply selling the information on the Darknet.

Both consumers and business users need to understand that credential harvesting comes in multiple flavors and combinations and is not always solely tied to email phishing. In general, cyber adversaries leverage either social engineering techniques, malware, digital scammers, or any combination thereof to steal credentials. Most users are familiar with phishing emails that contain links to cloned websites, or  weaponized attachments that install malware on the victim’s computer. 

In the case of cloned websites, the victim is often unaware of the attack, since the fake web designs are often very authentic. When the user enters his or her credentials, the page not only captures them but  then forwards them to the actual login page, which then logs in the user. The victim never even knows their credentials were stolen. In other cases, like the recent Smoke Loader infection campaign, the attack begins with phishing emails that carry a weaponized Word document. When a user opens the file, it triggers the execution of a macro that downloads malware to subsequently harvest the user’s credentials. 

The latest technique being used for credential harvesting are digital skimmers. While skimming was originally applied to ATM machines, threat groups like Magecart have perfected its use for the digital world. By injecting scripts into commonly used Web tools such as cloud analytics plug-ins, content management systems, and online support snippets, cyber criminals can steal data that is entered into online payment forms or login pages on eCommerce sites.

One such attack targeted a global online ticket sales company, andsales company and made headlines just a few weeks ago. According to the security researchers that detected the attack, more than 800 other websites were impacted by Magecart campaigns. Magecart actors continue to evolve their approach and are now compromising third-party tools rather than injecting JavaScript into individual websites. In doing so, they’re now able to harvest exponentially more credentials than in the past.  

Risk Mitigation 

Advertisement. Scroll to continue reading.

So what steps can consumers and businesses take to minimize the risk of falling victim to these credential harvesting campaigns? Here are a few fundamental steps to take:

 Anti-Phishing Training: Educating users ― be it consumers or corporate ― about the risk of phishing and the characteristics of these attacks is an essential first step.

 Limit Use of Third-Party Web Scripts / Plug-Ins: Exercise caution when deploying third-party Web tools. Investigate the security protocols used by these tools to determine if they’re comprehensive enough to minimize malware injections. Obviously, restricting the use of third-party Web tools must balance security with providing a differentiated customer experience.

 Multi-Factor Authentication (MFA): Since MFA requires multiple methods for identification (something you know, something you have, and something you are), it’s one of the best ways to prevent unauthorized users from accessing sensitive data and moving laterally within the network. Thus, it should be standard practice for all organizations. 

 Risk-Based Access Control: Risk-based access uses machine learning to define and enforce access policy, based on user behavior. Through a combination of analytics, machine learning, user profiles, and policy enforcement, access decisions can be made in real time, to ease low-risk access, step up authentication when risk is higher, or block access entirely. Risk-based access control is often used in combination with MFA.

Stealing a valid credential and using it to access a network is easier, less risky, and ultimately more efficient than using an existing vulnerability, even a zero-day. Cyber security defenses need to adapt to this fact. User education and beefing up an organization’s authentication systems are two essential steps that can minimize the risks associated with credential harvesting and subsequent cyber-attacks aimed at data exfiltration.

Written By

Dr. Torsten George is an internationally recognized IT security expert, author, and speaker with nearly 30 years of experience in the global IT security community. He regularly provides commentary and publishes articles on data breaches, insider threats, compliance frameworks, and IT security best practices. He is also the co-author of the Zero Trust Privilege for Dummies book. Torsten has held executive level positions with Absolute Software, Centrify (now Delinea), RiskSense (acquired by Ivanti), RiskVision (acquired by Resolver, Inc.), ActivIdentity (acquired by HID® Global), Digital Link, and Everdream Corporation (acquired by Dell).

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Understand how to go beyond effectively communicating new security strategies and recommendations.

Register

Join us for an in depth exploration of the critical nature of software and vendor supply chain security issues with a focus on understanding how attacks against identity infrastructure come with major cascading effects.

Register

Expert Insights

Related Content

Identity & Access

Zero trust is not a replacement for identity and access management (IAM), but is the extension of IAM principles from people to everyone and...

CISO Strategy

Okta is blaming the recent hack of its support system on an employee who logged into a personal Google account on a company-managed laptop.

Management & Strategy

SecurityWeek examines how a layoff-induced influx of experienced professionals into the job seeker market is affecting or might affect, the skills gap and recruitment...

Training & Awareness

Google has announced a new training program for cybersecurity analysts and those who graduate will get a professional certificate from Google.

Compliance

Government agencies in the United States have made progress in the implementation of the DMARC standard in response to a Department of Homeland Security...

Email Security

Many Fortune 500, FTSE 100 and ASX 100 companies have failed to properly implement the DMARC standard, exposing their customers and partners to phishing...

Funding/M&A

The private equity firm merges the newly acquired ForgeRock with Ping Identity, combining two of the biggest names in enterprise IAM market.

Identity & Access

Hackers rarely hack in anymore. They log in using stolen, weak, default, or otherwise compromised credentials. That’s why it’s so critical to break the...