Security Experts:

Connect with us

Hi, what are you looking for?


Identity & Access

The Foundation of Cyber-Attacks: Credential Harvesting

Recent reports of a newly detected Smoke Loader infection campaign and the re-emergence of Magecart-based cyber-attacks illustrate a common tactic used by cyber criminals and state-sponsored attackers alike ― credential harvesting. According to the Verizon 2017 Data Breach Investigation Report, 81% of hacking-related breaches leverage either stolen, default, or weak credentials.

Recent reports of a newly detected Smoke Loader infection campaign and the re-emergence of Magecart-based cyber-attacks illustrate a common tactic used by cyber criminals and state-sponsored attackers alike ― credential harvesting. According to the Verizon 2017 Data Breach Investigation Report, 81% of hacking-related breaches leverage either stolen, default, or weak credentials. While credential harvesting is often seen as equivalent to phishing, it uses different tactics.

Cyber attackers long ago figured out that the easiest way for them to gain access to sensitive data is by compromising an end user’s identity and credentials. Betting on the human factor and attacking the weakest link in the cyber defense chain, credential harvesting has become the foundation of most cyber-attacks. 

While credential harvesting is widely used by attackers – what they do with the stolen information can vary greatly. In some cases, the credentials will be used for subsequent attacks where the goal is to gain access to systems or network resources, or they can be monetized by taking over bank accounts or simply selling the information on the Darknet.

Both consumers and business users need to understand that credential harvesting comes in multiple flavors and combinations and is not always solely tied to email phishing. In general, cyber adversaries leverage either social engineering techniques, malware, digital scammers, or any combination thereof to steal credentials. Most users are familiar with phishing emails that contain links to cloned websites, or  weaponized attachments that install malware on the victim’s computer. 

In the case of cloned websites, the victim is often unaware of the attack, since the fake web designs are often very authentic. When the user enters his or her credentials, the page not only captures them but  then forwards them to the actual login page, which then logs in the user. The victim never even knows their credentials were stolen. In other cases, like the recent Smoke Loader infection campaign, the attack begins with phishing emails that carry a weaponized Word document. When a user opens the file, it triggers the execution of a macro that downloads malware to subsequently harvest the user’s credentials. 

The latest technique being used for credential harvesting are digital skimmers. While skimming was originally applied to ATM machines, threat groups like Magecart have perfected its use for the digital world. By injecting scripts into commonly used Web tools such as cloud analytics plug-ins, content management systems, and online support snippets, cyber criminals can steal data that is entered into online payment forms or login pages on eCommerce sites.

One such attack targeted a global online ticket sales company, andsales company and made headlines just a few weeks ago. According to the security researchers that detected the attack, more than 800 other websites were impacted by Magecart campaigns. Magecart actors continue to evolve their approach and are now compromising third-party tools rather than injecting JavaScript into individual websites. In doing so, they’re now able to harvest exponentially more credentials than in the past.  

Risk Mitigation 

So what steps can consumers and businesses take to minimize the risk of falling victim to these credential harvesting campaigns? Here are a few fundamental steps to take:

 Anti-Phishing Training: Educating users ― be it consumers or corporate ― about the risk of phishing and the characteristics of these attacks is an essential first step.

 Limit Use of Third-Party Web Scripts / Plug-Ins: Exercise caution when deploying third-party Web tools. Investigate the security protocols used by these tools to determine if they’re comprehensive enough to minimize malware injections. Obviously, restricting the use of third-party Web tools must balance security with providing a differentiated customer experience.

 Multi-Factor Authentication (MFA): Since MFA requires multiple methods for identification (something you know, something you have, and something you are), it’s one of the best ways to prevent unauthorized users from accessing sensitive data and moving laterally within the network. Thus, it should be standard practice for all organizations. 

 Risk-Based Access Control: Risk-based access uses machine learning to define and enforce access policy, based on user behavior. Through a combination of analytics, machine learning, user profiles, and policy enforcement, access decisions can be made in real time, to ease low-risk access, step up authentication when risk is higher, or block access entirely. Risk-based access control is often used in combination with MFA.

Stealing a valid credential and using it to access a network is easier, less risky, and ultimately more efficient than using an existing vulnerability, even a zero-day. Cyber security defenses need to adapt to this fact. User education and beefing up an organization’s authentication systems are two essential steps that can minimize the risks associated with credential harvesting and subsequent cyber-attacks aimed at data exfiltration.

Written By

Torsten George is a cybersecurity evangelist at Absolute Software, which helps organizations establish resilient security controls on endpoints. He also serves as strategic advisory board member at vulnerability risk management software vendor, NopSec. He is an internationally recognized IT security expert, author, and speaker. Torsten has been part of the global IT security community for more than 27 years and regularly provides commentary and publishes articles on data breaches, insider threats, compliance frameworks, and IT security best practices. He is also the co-author of the Zero Trust Privilege For Dummies book. Torsten has held executive level positions with Centrify, RiskSense, RiskVision (acquired by Resolver, Inc.), ActivIdentity (acquired by HID® Global, an ASSA ABLOY™ Group brand), Digital Link, and Everdream Corporation (acquired by Dell).

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content

Management & Strategy

SecurityWeek examines how a layoff-induced influx of experienced professionals into the job seeker market is affecting or might affect, the skills gap and recruitment...

Identity & Access

Zero trust is not a replacement for identity and access management (IAM), but is the extension of IAM principles from people to everyone and...

Identity & Access

Hackers rarely hack in anymore. They log in using stolen, weak, default, or otherwise compromised credentials. That’s why it’s so critical to break the...

Application Security

Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the...

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...

Management & Strategy

750 cyber specialists have participated in Defence Cyber Marvel 2 (DCM2), the biggest military cyberwarfare exercise in Western Europe.

Application Security

Password management firm LastPass says the hackers behind an August data breach stole a massive stash of customer data, including password vault data that...

Management & Strategy

UK-based cybersecurity training solutions provider Immersive Labs announced on Wednesday that it has raised $66 million in new capital.