cyberint.com
Open in
urlscan Pro
141.193.213.11
Public Scan
URL:
https://cyberint.com/blog/thought-leadership/compromised-credentials-tactics-risks-mitigation/
Submission: On October 22 via api from DE — Scanned from DE
Submission: On October 22 via api from DE — Scanned from DE
Form analysis 2 forms found in the DOM
POST https://forms.hsforms.com/submissions/v3/public/submit/formsnext/multipart/2034462/230c9049-7f32-4103-afb0-7c165de6f8f1
<form id="hsForm_230c9049-7f32-4103-afb0-7c165de6f8f1" method="POST" accept-charset="UTF-8" enctype="multipart/form-data" novalidate=""
action="https://forms.hsforms.com/submissions/v3/public/submit/formsnext/multipart/2034462/230c9049-7f32-4103-afb0-7c165de6f8f1"
class="hs-form-private hsForm_230c9049-7f32-4103-afb0-7c165de6f8f1 hs-form-230c9049-7f32-4103-afb0-7c165de6f8f1 hs-form-230c9049-7f32-4103-afb0-7c165de6f8f1_87563672-fe9b-44c4-9264-3b91addc00b4 hs-form stacked"
target="target_iframe_230c9049-7f32-4103-afb0-7c165de6f8f1" data-instance-id="87563672-fe9b-44c4-9264-3b91addc00b4" data-form-id="230c9049-7f32-4103-afb0-7c165de6f8f1" data-portal-id="2034462"
data-test-id="hsForm_230c9049-7f32-4103-afb0-7c165de6f8f1" data-hs-cf-bound="true">
<div class="hs_email hs-email hs-fieldtype-text field hs-form-field"><label id="label-email-230c9049-7f32-4103-afb0-7c165de6f8f1" class="" placeholder="Enter your " for="email-230c9049-7f32-4103-afb0-7c165de6f8f1"><span></span></label>
<legend class="hs-field-desc" style="display: none;"></legend>
<div class="input"><input id="email-230c9049-7f32-4103-afb0-7c165de6f8f1" name="email" required="" placeholder="Your email here*" type="email" class="hs-input" inputmode="email" autocomplete="email" value=""></div>
</div>
<div class="legal-consent-container">
<div class="hs-richtext">
<p>I agree to Cyberint's <a href="https://cyberint.com/terms-conditions/" target="_blank" rel="noopener">Terms of Use</a> and <a href="https://cyberint.com/privacy-policy/" target="_blank" rel="noopener">Privacy Policy</a></p>
</div>
<div>
<div class="hs-dependent-field">
<div class="hs_LEGAL_CONSENT.subscription_type_944128 hs-LEGAL_CONSENT.subscription_type_944128 hs-fieldtype-booleancheckbox field hs-form-field">
<legend class="hs-field-desc" style="display: none;"></legend>
<div class="input">
<ul class="inputs-list" required="">
<li class="hs-form-booleancheckbox"><label for="LEGAL_CONSENT.subscription_type_944128-230c9049-7f32-4103-afb0-7c165de6f8f1" class="hs-form-booleancheckbox-display"><input
id="LEGAL_CONSENT.subscription_type_944128-230c9049-7f32-4103-afb0-7c165de6f8f1" class="hs-input" type="checkbox" name="LEGAL_CONSENT.subscription_type_944128" value="true"><span>
<p>I agree to subscribe to receive updates from Cyberint</p><span class="hs-form-required">*</span>
</span></label></li>
</ul>
</div>
</div>
</div>
<legend class="hs-field-desc checkbox-desc" style="display: none;"></legend>
</div>
</div>
<div class="hs_submit hs-submit">
<div class="hs-field-desc" style="display: none;"></div>
<div class="actions"><input type="submit" class="hs-button primary large" value="Subscribe "></div>
</div><input name="hs_context" type="hidden"
value="{"embedAtTimestamp":"1729582964211","formDefinitionUpdatedAt":"1679496836482","legalConsentOptions":"{\"legitimateInterestSubscriptionTypes\":[944128],\"communicationConsentCheckboxes\":[{\"communicationTypeId\":944128,\"label\":\"<p>I agree to subscribe to receive updates&nbsp; from Cyberint</p>\",\"required\":true}],\"legitimateInterestLegalBasis\":\"LEGITIMATE_INTEREST_PQL\",\"communicationConsentText\":\"<p>I agree to Cyberint's <a href=\\\"https://cyberint.com/terms-conditions/\\\" target=\\\"_blank\\\" rel=\\\"noopener\\\">Terms of Use</a> and <a href=\\\"https://cyberint.com/privacy-policy/\\\" target=\\\"_blank\\\" rel=\\\"noopener\\\">Privacy Policy</a></p>\",\"processingConsentType\":\"IMPLICIT\",\"processingConsentCheckboxLabel\":\"<p>I agree</p>\",\"isLegitimateInterest\":false}","renderRawHtml":"true","userAgent":"Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/129.0.0.0 Safari/537.36","pageTitle":"Compromised Credentials: Tactics, Risks, Mitigation","pageUrl":"https://cyberint.com/blog/thought-leadership/compromised-credentials-tactics-risks-mitigation/","isHubSpotCmsGeneratedPage":false,"contentType":"blog-post","hutk":"52e41171bb9322e1fb4ef89a7319b38e","__hsfp":90950173,"__hssc":"206209484.1.1729582965708","__hstc":"206209484.52e41171bb9322e1fb4ef89a7319b38e.1729582965708.1729582965708.1729582965708.1","formTarget":"#hbspt-form-87563672-fe9b-44c4-9264-3b91addc00b4","boolCheckBoxFields":"LEGAL_CONSENT.subscription_type_944128","rumScriptExecuteTime":312.3999996185303,"rumTotalRequestTime":616.8999996185303,"rumTotalRenderTime":639.6999998092651,"rumServiceResponseTime":304.5,"rumFormRenderTime":22.800000190734863,"connectionType":"4g","firstContentfulPaint":0,"largestContentfulPaint":0,"locale":"en","timestamp":1729582965715,"originalEmbedContext":{"portalId":"2034462","formId":"230c9049-7f32-4103-afb0-7c165de6f8f1","region":"na1","target":"#hbspt-form-87563672-fe9b-44c4-9264-3b91addc00b4","isBuilder":false,"isTestPage":false,"isPreview":false,"isMobileResponsive":true},"correlationId":"87563672-fe9b-44c4-9264-3b91addc00b4","renderedFieldsIds":["email","LEGAL_CONSENT.subscription_type_944128"],"captchaStatus":"NOT_APPLICABLE","emailResubscribeStatus":"NOT_APPLICABLE","isInsideCrossOriginFrame":false,"source":"forms-embed-1.6227","sourceName":"forms-embed","sourceVersion":"1.6227","sourceVersionMajor":"1","sourceVersionMinor":"6227","allPageIds":{},"_debug_embedLogLines":[{"clientTimestamp":1729582964354,"level":"INFO","message":"Retrieved pageContext values which may be overriden by the embed context: {\"pageTitle\":\"Compromised Credentials: Tactics, Risks, Mitigation\",\"pageUrl\":\"https://cyberint.com/blog/thought-leadership/compromised-credentials-tactics-risks-mitigation/\",\"userAgent\":\"Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/129.0.0.0 Safari/537.36\",\"isHubSpotCmsGeneratedPage\":false}"},{"clientTimestamp":1729582964355,"level":"INFO","message":"Retrieved countryCode property from normalized embed definition response: \"DE\""},{"clientTimestamp":1729582965712,"level":"INFO","message":"Retrieved analytics values from API response which may be overriden by the embed context: {\"hutk\":\"52e41171bb9322e1fb4ef89a7319b38e\",\"contentType\":\"blog-post\"}"}]}"><iframe
name="target_iframe_230c9049-7f32-4103-afb0-7c165de6f8f1" style="display: none;"></iframe>
</form>POST https://forms.hsforms.com/submissions/v3/public/submit/formsnext/multipart/2034462/58cec4e1-ef41-4080-8291-8ed3508d64be
<form id="hsForm_58cec4e1-ef41-4080-8291-8ed3508d64be_hs-form67171a341b56a" method="POST" accept-charset="UTF-8" enctype="multipart/form-data" novalidate=""
action="https://forms.hsforms.com/submissions/v3/public/submit/formsnext/multipart/2034462/58cec4e1-ef41-4080-8291-8ed3508d64be"
class="hs-form-private hsForm_58cec4e1-ef41-4080-8291-8ed3508d64be hs-form-58cec4e1-ef41-4080-8291-8ed3508d64be hs-form-58cec4e1-ef41-4080-8291-8ed3508d64be_2bdba0e7-7af6-453b-940f-3251939f5737 hs-form stacked hs-custom-style"
target="target_iframe_58cec4e1-ef41-4080-8291-8ed3508d64be_hs-form67171a341b56a" data-instance-id="2bdba0e7-7af6-453b-940f-3251939f5737" data-form-id="58cec4e1-ef41-4080-8291-8ed3508d64be" data-portal-id="2034462"
data-test-id="hsForm_58cec4e1-ef41-4080-8291-8ed3508d64be_hs-form67171a341b56a" data-hs-cf-bound="true">
<div class="hs_email hs-email hs-fieldtype-text field hs-form-field"><label id="label-email-58cec4e1-ef41-4080-8291-8ed3508d64be_hs-form67171a341b56a" class="" placeholder="Enter your Email"
for="email-58cec4e1-ef41-4080-8291-8ed3508d64be_hs-form67171a341b56a"><span>Email</span><span class="hs-form-required">*</span></label>
<legend class="hs-field-desc" style="display: none;"></legend>
<div class="input"><input id="email-58cec4e1-ef41-4080-8291-8ed3508d64be_hs-form67171a341b56a" name="email" required="" placeholder="Your email here" type="email" class="hs-input" inputmode="email" autocomplete="email" value=""></div>
</div>
<div class="legal-consent-container">
<div class="hs-richtext">
<p>I agree to Cyberint's <a href="https://cyberint.com/terms-conditions/" target="_blank" rel="noopener">Terms of Use</a> and <a href="https://cyberint.com/privacy-policy/" target="_blank" rel="noopener">Privacy Statement</a></p>
</div>
<div>
<div class="hs-dependent-field">
<div class="hs_LEGAL_CONSENT.subscription_type_944128 hs-LEGAL_CONSENT.subscription_type_944128 hs-fieldtype-booleancheckbox field hs-form-field">
<legend class="hs-field-desc" style="display: none;"></legend>
<div class="input">
<ul class="inputs-list" required="">
<li class="hs-form-booleancheckbox"><label for="LEGAL_CONSENT.subscription_type_944128-58cec4e1-ef41-4080-8291-8ed3508d64be_hs-form67171a341b56a" class="hs-form-booleancheckbox-display"><input
id="LEGAL_CONSENT.subscription_type_944128-58cec4e1-ef41-4080-8291-8ed3508d64be_hs-form67171a341b56a" class="hs-input" type="checkbox" name="LEGAL_CONSENT.subscription_type_944128" value="true"><span>
<p>I hereby agree to subscribe to received news, updates and offers from Cyberint. </p><span class="hs-form-required">*</span>
</span></label></li>
</ul>
</div>
</div>
</div>
<legend class="hs-field-desc checkbox-desc" style="display: none;"></legend>
</div>
</div>
<div class="hs_submit hs-submit">
<div class="hs-field-desc" style="display: none;"></div>
<div class="actions"><input type="submit" class="hs-button primary large" value="See for Yourself"></div>
</div><input name="hs_context" type="hidden"
value="{"embedAtTimestamp":"1729582964674","formDefinitionUpdatedAt":"1705474243150","lang":"en","legalConsentOptions":"{\"communicationConsentCheckboxes\":[{\"communicationTypeId\":944128,\"label\":\"<p>I hereby agree to subscribe to received news, updates and offers from Cyberint. </p>\",\"required\":true}],\"legitimateInterestLegalBasis\":\"LEGITIMATE_INTEREST_PQL\",\"communicationConsentText\":\"<p>I agree to Cyberint's <a href=\\\"https://cyberint.com/terms-conditions/\\\" target=\\\"_blank\\\" rel=\\\"noopener\\\">Terms of Use</a> and <a href=\\\"https://cyberint.com/privacy-policy/\\\" target=\\\"_blank\\\" rel=\\\"noopener\\\">Privacy Statement</a></p>\",\"processingConsentType\":\"IMPLICIT\",\"processingConsentCheckboxLabel\":\"<p>I agree</p>\",\"isLegitimateInterest\":false}","embedType":"REGULAR","userAgent":"Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/129.0.0.0 Safari/537.36","pageTitle":"Compromised Credentials: Tactics, Risks, Mitigation","pageUrl":"https://cyberint.com/blog/thought-leadership/compromised-credentials-tactics-risks-mitigation/","isHubSpotCmsGeneratedPage":false,"contentType":"blog-post","hutk":"52e41171bb9322e1fb4ef89a7319b38e","__hsfp":90950173,"__hssc":"206209484.1.1729582965708","__hstc":"206209484.52e41171bb9322e1fb4ef89a7319b38e.1729582965708.1729582965708.1729582965708.1","formTarget":"#hs-form67171a341b56a","formInstanceId":"hs-form67171a341b56a","boolCheckBoxFields":"LEGAL_CONSENT.subscription_type_944128","rumScriptExecuteTime":824.1000003814697,"rumTotalRequestTime":1004.8999996185303,"rumTotalRenderTime":1026.5,"rumServiceResponseTime":180.79999923706055,"rumFormRenderTime":21.600000381469727,"connectionType":"4g","firstContentfulPaint":0,"largestContentfulPaint":0,"locale":"en","timestamp":1729582965719,"originalEmbedContext":{"portalId":"2034462","formId":"58cec4e1-ef41-4080-8291-8ed3508d64be","region":"na1","target":"#hs-form67171a341b56a","isBuilder":false,"isTestPage":false,"isPreview":false,"formInstanceId":"hs-form67171a341b56a","css":"","cssRequired":"","isMobileResponsive":true},"correlationId":"2bdba0e7-7af6-453b-940f-3251939f5737","renderedFieldsIds":["email","LEGAL_CONSENT.subscription_type_944128"],"captchaStatus":"NOT_APPLICABLE","emailResubscribeStatus":"NOT_APPLICABLE","isInsideCrossOriginFrame":false,"source":"forms-embed-1.6227","sourceName":"forms-embed","sourceVersion":"1.6227","sourceVersionMajor":"1","sourceVersionMinor":"6227","allPageIds":{},"_debug_embedLogLines":[{"clientTimestamp":1729582964742,"level":"INFO","message":"Retrieved customer callbacks used on embed context: [\"onFormReady\",\"onFormSubmit\",\"onFormSubmitted\"]"},{"clientTimestamp":1729582964742,"level":"INFO","message":"Retrieved pageContext values which may be overriden by the embed context: {\"pageTitle\":\"Compromised Credentials: Tactics, Risks, Mitigation\",\"pageUrl\":\"https://cyberint.com/blog/thought-leadership/compromised-credentials-tactics-risks-mitigation/\",\"userAgent\":\"Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/129.0.0.0 Safari/537.36\",\"isHubSpotCmsGeneratedPage\":false}"},{"clientTimestamp":1729582964743,"level":"INFO","message":"Retrieved countryCode property from normalized embed definition response: \"DE\""},{"clientTimestamp":1729582965716,"level":"INFO","message":"Retrieved analytics values from API response which may be overriden by the embed context: {\"hutk\":\"52e41171bb9322e1fb4ef89a7319b38e\",\"contentType\":\"blog-post\"}"}]}"><iframe
name="target_iframe_58cec4e1-ef41-4080-8291-8ed3508d64be_hs-form67171a341b56a" style="display: none;"></iframe>
</form>Text Content
*
* Cyberint is now Check Point Software External Risk Management 16.10.2024Data
Breach at Sorbonne University Exposes Persona...
*
╳
* Platform⌄
* Platform Lobby
* * Attack Surface Management
* Darkweb Threat Intelligence
* Supply Chain Intelligence
* Malware Intelligence
* * Phishing Detection
* Social Media Monitoring
* Threat Hunting
* * Vulnerability Intelligence
* Risk Intelligence Feeds
* Dashboards and Reports
* Services⌄
* Services Lobby
* * Virtual Humint Operations
* Deep Cyber Investigation
* * Threat Landscape Analysis
* Deep and Darkweb Monitoring
* * Takedowns & Remediation
* Attack Simulation
* Solutions⌄
* BY USE CASE
* Phishing
* Attackware
* Brand
* Data Leakage
* Fraud
* BY INDUSTRY
* Financial Services
* Retail
* Media & Gaming
* Healthcare
* Government Agencies
* Oil and Gas
* BY ROLE
* CISO
* Security Analyst
* Marketing
* Resources⌄
* * Blog
* Resources
* Partners⌄
* * Grow with Cyberint
* MSSP Program
* Value Added Resellers
* Technology Partners
* OEM Partners
* Become a Partner
* Partner Login
* Company⌄
* COMPANY
* About Us
* Careers
* Events
* Pricing
* * Ransomania
* Media Coverage
* Press Releases
* News Feed
* CONTACT US
* Talk to an Expert
* Contact Us
* Customer Support
SupportRequest a Demo
EN
English 日本語 Español Deutsch
Request a Demo
* Platform⌄
* Platform Lobby
* * Attack Surface Management
* Darkweb Threat Intelligence
* Supply Chain Intelligence
* Malware Intelligence
* * Phishing Detection
* Social Media Monitoring
* Threat Hunting
* * Vulnerability Intelligence
* Risk Intelligence Feeds
* Dashboards and Reports
* Services⌄
* Services Lobby
* * Virtual Humint Operations
* Deep Cyber Investigation
* * Threat Landscape Analysis
* Deep and Darkweb Monitoring
* * Takedowns & Remediation
* Attack Simulation
* Solutions⌄
* BY USE CASE
* Phishing
* Attackware
* Brand
* Data Leakage
* Fraud
* BY INDUSTRY
* Financial Services
* Retail
* Media & Gaming
* Healthcare
* Government Agencies
* Oil and Gas
* BY ROLE
* CISO
* Security Analyst
* Marketing
* Resources⌄
* * Blog
* Resources
* Partners⌄
* * Grow with Cyberint
* MSSP Program
* Value Added Resellers
* Technology Partners
* OEM Partners
* Become a Partner
* Partner Login
* Company⌄
* COMPANY
* About Us
* Careers
* Events
* Pricing
* * Ransomania
* Media Coverage
* Press Releases
* News Feed
* CONTACT US
* Talk to an Expert
* Contact Us
* Customer Support
Support
EN
English 日本語 Español Deutsch
Compromised Credentials: Tactics, Risks, Mitigation
* Table of contents
* Uses of Compromised Credentials
* Compromised Credentials Tactics and Techniques
* What is Credential Stuffing?
* What Is An Account Takeover?
* With Compromised Credentials, Time Is Money
* The Impact of Exposed Customer Credentials
* How to Identify a Compromised Customer Account
*
* Recommendations to Prevent Compromised Customer Credentials
* Immediate Steps to Take When Compromised Customer Credentials Are Found
* How to Defend Against Compromised Credential Attacks
THE AUTHOR
DARJA FELDMAN
Share on LinkedIn
Dedicated and enthusiastic WEBINT Analyst with four years of experience.
Multilingual with extensive research experience in online risk & fraud
prevention in FinTech.
TABLE OF CONTENTS
* Uses of Compromised Credentials
* Compromised Credentials Tactics and Techniques
* What is Credential Stuffing?
* What Is An Account Takeover?
* With Compromised Credentials, Time Is Money
* The Impact of Exposed Customer Credentials
* How to Identify a Compromised Customer Account
*
* Recommendations to Prevent Compromised Customer Credentials
* Immediate Steps to Take When Compromised Customer Credentials Are Found
* How to Defend Against Compromised Credential Attacks
RELATED ARTICLES
Thought Leadership
WHY SCAMMERS LOVE THE HOLIDAYS, AND HOW TO STOP HOLIDAY PHISHING RISKS
Cyberint has observed a 46% rise in phishing attacks over the holiday season.
Cyberint detail...
Oct 7, 2024
Learn more
Thought Leadership
SOLVING MSSP CUSTOMER ABANDONMENT CHALLENGES BY CHOOSING THE RIGHT MSSP SOFTWARE
Styled Text "Cutting your prices to match the bargain bin might win you a
sprint,...
Sep 8, 2024
Learn more
Thought Leadership
COMPROMISED CREDENTIALS: TACTICS, RISKS, MITIGATION
May 31, 2023
Share: Share on Twitter Share on LinkedIn
The theft of users’ credentials is a growing industry. The market for
compromised credentials is vast and has huge potential due to:
* The online availability of cheap malware kits
* The increase in active theft operations around the world
* The increasing sophistication of techniques implemented by threat actors
These factors have created a lucrative market for cybercriminals who are able to
steal credentials and sell them on the black market. The stolen credentials can
then be used to access personal and financial information, commit identity
theft, or launch other cyberattacks.
Almost every website and application uses passwords to authenticate users, who
have to deal with an increasing number of online accounts. As the need grows,
users tend to reuse the same account-passwords combinations for many of the
online services they use.
Unfortunately, the widespread use and reuse of passwords makes them attractive
targets for cybercriminals, who know that stolen passwords provide an entry
point to other accounts and services.
Each year, billions of compromised credentials appear online, either on the dark
web, clear web, paste sites or in data dumps shared by cybercriminals. These
credentials are then used by threat actors for account takeover attacks, fraud,
and data theft.
While businesses try to protect their own sensitive information from attacks,
customer information is stored in vulnerable databases all over the web. This
results in identity fraud losses of totaling around $52 billion and affected 42
million U.S. adults in 2022 alone.
The identification of compromised customer accounts, targeted domains, and
vulnerable passwords enables organizations to proactively build a better defense
against account takeovers and fraudulent activities. Furthermore, the constant
identification of customer accounts that have been compromised, provides ongoing
fraud monitoring without impacting the user experience.
Collected data can be used to gain insight into which domains are being targeted
and what the most vulnerable passwords are. This helps to prioritize risk
mitigation strategies and protect the organization’s customers and their own
reputation.
USES OF COMPROMISED CREDENTIALS
An organization’s customers’ credentials are a valuable commodity in the
cybercriminal market for 2 main reasons:
1. They are relatively easy and cheap to obtain, requiring little effort from
novice threat actors to
get their hands on
2. The credentials can be developed and abused in a variety of other fraudulent
activities, such as:
* Acquiring Additional PIIs and Data – after entering an account, threat actors
can harvest more information, for example, credit cards, phone numbers,
addresses, IDs, etc.
* Spam – a legitimate account is a good tool for scams and other deceitful
activities.
* Phishing – under the disguise of a legitimate account, threat actors target
the account owner’s contacts.
* Ransom Attacks – owners of valuable accounts might be forced to pay ransom to
re-access their accounts
* Financial Fraud – accounts with access to financial data and the ability to
execute transactions, such as credit cards, withdrawing funds and wiring
money, are especially valuable to threat actors. Financial Fraud and
Transaction Laundering can be executed with standard currencies, as well as
cryptocurrencies, and even loyalty points or gift card credit.
* Promo Abuse – threat actors rely on multi-accounting techniques to gain as
many sign-up or
referral bonuses as possible.
* Card Testing – some accounts are only used to make small purchases, or to
test credit cards. This helps threat actors to check the validity of stolen
credit cards, which can then fuel their criminal buying sprees.
* Acquiring Access to Premium Accounts – especially popular for services with
fee/membership-based services, such as Netflix, Spotify, and others Money
Laundering or Money Mule Transactions
* Social Media Engagement – compromised accounts are used to run “bot farms”
for social media engagement manipulation, such as followers and likes.
COMPROMISED CREDENTIALS TACTICS AND TECHNIQUES
The foundation for exposed customer credentials is fraudulent access to a user’s
account credentials.
Below are some tactics how attackers usually compromise legitimate accounts:
1. Brute-force attacks – The attacker links a username/password combination
across many accounts until one yields results. These include so-called”
dictionary attacks,” in which attackers use common passwords and dictionary
terms to guess passwords.
2. Credential Stuffing – The attacker utilizes the bad habit where people use
the same password for multiple accounts. If one of those passwords is leaked
in an unrelated data breach, any other account with the same username and
password is at risk.
3. Dark Markets – Attackers can download cracked passwords from darknet markets
to attempt ATO on the same user accounts on their target site.
4. Phishing – remains an effective way to get a victim’s password. Without
controls such as multifactor authentication (MFA), lost credentials can lead
to compromised accounts.
5. Malware Attacks – Keyloggers, stealers, and other varieties of malware can
expose user credentials, giving attackers control of victims’ accounts.
6. Security Vulnerabilities Exploitation – unpatched security holes are used to
gain unauthorized access to a system. For example, Cross-Site Scripting
(XSS) and Server Side Request Forgery (SSRF).
7. Social Engineering Attacks – threat actors contact people in person and
attempt to extract login
information.
WHAT IS CREDENTIAL STUFFING?
Credential stuffing is a type of cyber attack that involves repeated attempts to
log in to online accounts using usernames and passwords stolen from other online
services. It takes advantage of the fact that people often reuse passwords
across multiple accounts. Threat actors know that usernames and passwords used
on one website may also be used on other websites, and they exploit this
weakness by using automated tools to try these credentials on many different
websites.
Credential stuffing attacks often require little technical knowledge. Threat
actors can use free, easily accessible software that can broadcast hundreds of
simultaneous login attempts without any human intervention. A single threat
actor can easily send hundreds of thousands or even millions of login attempts
to a single web service.
Although most login attempts fail in a credential stuffing attack, due to the
sheer number of attempts, a single attack can still result in thousands of
accounts being compromised. Threat actors have several ways to monetize these
compromised accounts, such as:
* Using a credit card saved by a customer to make fraudulent purchases.
* Stealing and selling gift cards that a customer has saved on an account.
* Using customer details stolen from an account to conduct a phishing attack.
* Simply selling login credentials to someone else on the dark web.
WHAT IS AN ACCOUNT TAKEOVER?
An account takeover is an identity attack in which attackers gain unauthorized
access to customers’ legitimate accounts using a variety of attack vectors,
including credential stuffing, phishing, and session hijacking. Once they have
access, they can steal something of value, such as sensitive personal
information, impersonate the account owner, gain access to funds and/or payment
cards, or use the account as an entry point to defraud the owner’s contacts.
Account takeovers are used by threat actors in a variety of ways, including:
* Stealing sensitive personal information
* Impersonating the account owner
* Gaining access to funds and/or payment cards
* Using the account as an entry point to defraud the owner’s contacts
It is important to note that Account Takeover (ATO) fraud is not limited to bank
and credit card accounts. Attackers can also use reward cards and services,
including points saved on hotel accounts and airline miles. This scam is gaining
traction because targeted users rarely check their reward accounts for scams
compared to credit cards and bank accounts.
ATOs usually start with credential stuffing attacks. Attackers use scripts that
contain potentially thousands of credentials and user accounts to automate these
attacks. Revenue generated from a successful advanced attack can reach millions
on darknet markets.
The emergence of darknet markets has popularized account takeover attacks.
Attackers no longer need to steal directly from targeted users, which reduces
personal liability. On the contrary, attackers looking to steal directly from
users can simply purchase valid accounts on darknet markets without completing
the tedious task of password cracking. The increase in financial accounts and
products has also populated the market. Targeted users often have many financial
accounts spread across multiple websites, making them attractive to threat
actors. More financial accounts and an online presence means an increased attack
surface for ATO fraud.
When attackers choose to sell authenticated accounts, they are expecting a high
payout for their efforts. The value of just one hacked account depends on the
amount of data stolen and the type of account. With potentially thousands of
accounts, an attacker could have a hefty payday selling on darknet markets and
limit detection compared to directly stealing from victims.
WITH COMPROMISED CREDENTIALS, TIME IS MONEY
The fresher the compromised credentials, the higher the chance threat actors can
achieve their financial objective. However, credentials are rarely used by
threat actors in “real-time.” Unless the credential is compromised in highly
targeted attacks, threat actors require time to analyze the reams of data that
they have captured. This process of filtration and extraction enables them to
pull out ‘prime’ credentials either to sell on illegal marketplaces or use them
for further exploitation. However, the sooner the compromised credentials are
detected, the faster security teams can remediate them.
If stolen credential information can be detected very early on, no more than a
few days after they have been compromised, the impact of the theft on the
business can be massively reduced.
THE IMPACT OF EXPOSED CUSTOMER CREDENTIALS
Exposed customer credentials may not seem like one of a CISO’s responsibilities,
as long as they are not the result of an internal breach. However, they can be
very damaging, not only to the business’s brand reputation, but also have
financial and even legal implications. Furthermore, it should be kept in mind
that users will most likely blame the business for any damage that occurs
through exposed credentials and account takeovers, blaming it on the company’s
lack of security and fraud-prevention measures.
WHAT ARE THE FINANCIAL IMPLICATIONS OF EXPOSED CUSTOMER CREDENTIALS?
* Increased Transaction Disputes
* Increased Chargebacks
* High Customer Churn
* Revenue Loss
* Eventually Financial Penalties/Fines
* Chargebacks are expensive for e-commerce websites, especially those using
third-party payment gateways. High chargeback rates can lead to increased
transaction fees, which can result in significant losses. Therefore, credit
card chargeback prevention is essential for any business.
WHAT ARE THE REPUTATIONAL IMPLICATIONS OF EXPOSED CUSTOMER CREDENTIALS?
* Customer Churn
* Financial Penalties/fines
* Reputational Loss with Financial Institutions
* Brand and reputation may suffer, as the company may find itself unfairly
accused of a data breach,
which might lead to negative publicity, fines, and lost business.
Furthermore, loss of customers and
future revenues may occur, as customers whose accounts are taken over lose
trust in the brand and
walk away, creating bad publicity for the company.
HOW TO IDENTIFY A COMPROMISED CUSTOMER ACCOUNT
Attacks resulting in exposed customer credentials are often identified by
companies after a customer files a claim or complaint. Proper bot and online
fraud protection should be the minimum that a business implements on their
online assets in order to detect this kind of attack and prevent the exposure of
customer credentials and account takeovers. Below are some important signs to
detect attack takeovers on the business’s websites:
* IP Addresses from unusual geographic locations – a sudden rise of IP
addresses from one or
more countries outside the usual access locations can be a good indicator of
attacks using
exposed customer credentials. Particular attention should be directed at
changes in the access
location for users with recent account changes.
* Multiple Accounts Share the Same Details – when similar changes to PIIs
(email, delivery address,
etc.) are applied across more than one account, it might be a sign of an
account takeover attack.
* Unknown/Obfuscated Device Models – a higher-than-usual ratio of unknown
devices, is a
warning sign.
* Multiple Accounts accessed by the Same Device or IP – often attackers do not
spoof or mask
their device between logging into different accounts, meaning that if they
steal and access more
than one account, they will all be linked to one device. However, this
indicator should not be
considered stand-alone proof, taking into account cases when devices are
legitimately shared by
multiple users.
* Detection of Suspicious VPN Proxies or TOR Usage – or any other use of
emulators and virtual
machines
* Unusual Number of Chargeback Requests
* Mass Login Attempts on one Account
* Mass Password Reset Requests
* Unusually Large Purchases OR Large Transfers
Check to See if you have Compromised Credentials
RECOMMENDATIONS TO PREVENT COMPROMISED CUSTOMER CREDENTIALS
Compromised Customer credentials are so prevalent that most businesses cannot
avoid them. Therefore, any company that maintains online accounts for its
customers should have a data security plan that includes strong safeguards to
protect customers.
Furthermore, account takeovers involving compromised customer credentials are
difficult to detect because they rely on social engineering techniques: threat
actors may impersonate the victim or use other methods to trick the account
holder into giving them their login information. Account owners often do not
realize that their account has been compromised until it’s too late.
Like with everything else, organizations should look to a holistic approach when
it comes to their cyber-defense, as there is no single measure or technology
that can achieve total coverage. Even the Multifactor Authentication can be
bypassed.
Smart Password Use is essential – password reuse should be avoided at all costs,
and a strong
password policy should be in place to reduce the risk of easy-to-guess
passwords. Multifactor Authentication (MFA) should be set up as a threat actor
is less likely to have access to more than one factor of the authentication
process. More information about this topic can be found in Cyberint’s report
“Cookie O’clock.”
It is highly recommended to put in place different complementary solutions to
minimize both risk and impact. Companies should also consider how strong their
defense mechanisms are in all threat stages: before, during and after an attack.
Furthermore, it is important to note that the effectiveness of the
recommendations mentioned above will likely change over time as threat actors
adopt new tactics and techniques. Businesses should regularly evaluate the
effectiveness of their own controls and implement new adequate strategies.
Education is key to mitigating attacks. It’s in the interest of both parties,
companies, and customers, to know how to identify potentially malicious
activity. The ability to recognize when credentials might be compromised can
save a huge amount of pain and financial loss.
IMMEDIATE STEPS TO TAKE WHEN COMPROMISED CUSTOMER CREDENTIALS ARE FOUND
* Freeze the Compromised Account – to prevent the threat actor from performing
any fraudulent
activities on the compromised account
* Freeze/Cancel all ongoing transactions – ask for verification from the
legitimate account owner
* Force a password reset
* Inform the legitimate account owner
Continuous cyber-hygiene can help prevent attacks, as well as mitigate their
impact if and when one happens. Threat actors are constantly testing new ways to
exploit the company’s and customer’s infrastructure, so remaining static when it
comes to security protocols is a sure way to get breached.
HOW TO DEFEND AGAINST COMPROMISED CREDENTIAL ATTACKS
HOW TO PREVENT CREDENTIAL STUFFING ATTACKS
* Bot Detection
* Multifactor Authentication
* Prevent Reuse of Compromised Passwords
* Monitor customer activity
* Monitor customer fraud reports
HOW TO PREVENT FRAUD & MISUSE OF CUSTOMER INFORMATION
* Use Threat Intelligence and third-party fraud detection (get a demo here)
* Re-authenticate at the time of purchase
* Prevent Gift Card Theft
* Respond to credential-stuffing events by notifying customers and
investigating and remediating the incidents.
HOW TO PREVENT ACCOUNT TAKEOVER ATTACKS
Users and website owners should take basic precautions to prevent ATO attacks:
* Users should always read emails from financial institutions and call customer
service
immediately after receiving suspicious alerts.
* Educating customers on:
* The dangers and warning signs of phishing
* Investigating links in emails before clicking
* Smart Password Use
* Deployment of MFA
* Set a limit on login attempts
* Configuring the fraud detection systems to display a CAPTCHA after a specific
number of
authentication attempts
* Send notifications of any account changes to customers
Vulnerabilities keep on coming in different shapes and forms and it is
impossible to patch them all, including compromised credentials overnight. To
protect the organization, you first need to focus on those vulnerabilities that
mater the most. Now with Argos, known and unknown vulnerabilities are
automatically correlated between your digital assets to your attack surface,
highlighting those imminent threats that must be handled with utmost urgency.
Let's Talk
Share on Facebook Share on Twitter Share on LinkedIn Share on WhatsApp Share by
Email
Attack Surface Reconnaissance
Contact usSupport
PLATFORM
* Attack Surface Management
* Darkweb Threat Intelligence
* Deep & Dark Web
* Forensic Canvas
* Social Media Monitoring
* Dashboard & Reports
SOLUTIONS BY USE CASE
* Phishing
* Attackware
* Brand Protection
* Data Leakage
* Fraud
SERVICES
* Virtual HumINT Operations
* Deep Cyber Investigations
* Threat Landscape Analysis
* Attack Simulation
* Takedowns & Remediation
* 3rd Party Cyber Risk
SOLUTIONS BY INDUSTRIES
* Financial Services
* Retail & eCommerce
* Media and Gaming
* Healthcare
* Government Agencies
* Oil and Gas
* Manufacturing
RESOURCES
* Blog
* Case Studies
* Research
* Videos
* Brochures
* Legal Terms
* Open Source Attribution
* Ransomania
SOLUTIONS BY ROLE
* CISO
* Security Analyst
* Marketing Leaders
COMPANY
* About Us
* Contact Us
* Careers
* Events
* Media Coverage
* Press Releases
* News Feed
PARTNER
* Partner Portal
* Grow with Cyberint
* Cyberint MSSP Program
* Cyberint Reseller Program
* Technology Partners
* OEM Partners
SUBSCRIBE TO OUR NEWSLETTER
I agree to Cyberint's Terms of Use and Privacy Policy
* I agree to subscribe to receive updates from Cyberint
*
Cyberint Copyright © All Rights Reserved 2024
* CISO
* Security Analyst
* Marketing Leaders
* English
UNCOVER YOUR COMPROMISED CREDENTIALS FROM THE DEEP AND DARK WEB
Fill in your business email to start
Email*
I agree to Cyberint's Terms of Use and Privacy Statement
* I hereby agree to subscribe to received news, updates and offers from
Cyberint.
*
By clicking “Accept All Cookies”, you agree to the storing of cookies on your
device to enhance site navigation, analyze site usage, and assist in our
marketing efforts.
Cookies Settings Reject All Accept All Cookies
PRIVACY PREFERENCE CENTER
When you visit any website, it may store or retrieve information on your
browser, mostly in the form of cookies. This information might be about you,
your preferences or your device and is mostly used to make the site work as you
expect it to. The information does not usually directly identify you, but it can
give you a more personalized web experience. Because we respect your right to
privacy, you can choose not to allow some types of cookies. Click on the
different category headings to find out more and change our default settings.
However, blocking some types of cookies may impact your experience of the site
and the services we are able to offer.
Allow All
MANAGE CONSENT PREFERENCES
FUNCTIONAL COOKIES
Functional Cookies
These cookies enable the website to provide enhanced functionality and
personalisation. They may be set by us or by third party providers whose
services we have added to our pages. If you do not allow these cookies then some
or all of these services may not function properly.
TARGETING COOKIES
Targeting Cookies
These cookies may be set through our site by our advertising partners. They may
be used by those companies to build a profile of your interests and show you
relevant adverts on other sites. They do not store directly personal
information, but are based on uniquely identifying your browser and internet
device. If you do not allow these cookies, you will experience less targeted
advertising.
PERFORMANCE COOKIES
Performance Cookies
These cookies allow us to count visits and traffic sources so we can measure and
improve the performance of our site. They help us to know which pages are the
most and least popular and see how visitors move around the site. All
information these cookies collect is aggregated and therefore anonymous. If you
do not allow these cookies we will not know when you have visited our site, and
will not be able to monitor its performance.
STRICTLY NECESSARY COOKIES
Always Active
These cookies are necessary for the website to function and cannot be switched
off in our systems. They are usually only set in response to actions made by you
which amount to a request for services, such as setting your privacy
preferences, logging in or filling in forms. You can set your browser to block
or alert you about these cookies, but some parts of the site will not then work.
These cookies do not store any personally identifiable information.
Back Button
COOKIE LIST
Search Icon
Filter Icon
Clear
checkbox label label
Apply Cancel
Consent Leg.Interest
checkbox label label
checkbox label label
checkbox label label
Reject All Confirm My Choices