Chris Swagler | February 9th, 2024


Account credentials, a common initial access vector, have become a desirable commodity in cybercrime. It can result in a single set of stolen credentials being used to compromise companies’ entire network. A 2023 Data Breach Investigation Report revealed that external groups were responsible for 83% of breaches between November 2021 and October 2022 and 49% of the breaches involved stolen credentials. How can threat actors compromise credentials? Social engineering was among the top five cybersecurity threats in 2023. Phishing accounted for majority of social engineering attempts and was the primary method for stealing credentials in 2023 and was an inexpensive strategy that produced results. With phishing and social engineering techniques continuing to advance and tools becoming more widely available, credential theft needs to be the top security concern for companies.

The Evolution of Phishing

With phishing and social engineering, threat actors are aiming beyond using only emails:

  • Phishing campaigns are multi-channel attacks with numerous stages. Threat actors are utilizing texts and voicemail, in addition to emails, to lure victims to malicious websites, followed by a phone call to perpetuate the ruse.
  • Threat actors are targeting mobile devices. With users being deceived by social engineering tactics across numerous apps, credentials can be compromised. In each quarter of 2022, half of all personal devices were exposed to phishing attacks.
  • Artificial intelligence has become a factor. AI is being used to give phishing content more credibility and to broaden the scope of attacks. Using victim research data, AI can generate personalized phishing messages and then improve the messages adding a veneer of legitimacy for better results.

Stealing Credentials Using PhaaS Model

Not much is required to start stealing credentials. Phishing has become a profitable industry as threat actors are completely utilizing the phishing-as-a-service (PhaaS) model of outsourcing their skills to others. With the phishing kits available on underground forums, beginners who can’t access IT systems on their own can launch attacks. PhaaS functions in the same way as legitimate SaaS businesses do with several subscription models and purchasing a license is required for the kits to function.

Microsoft 365 Accounts Targeted by Advanced Phishing Tools – Threat Actor’s BEC Phishing Ecosystem Exposed

Threat actor W3LL has been selling their customized phishing kit, the W3LL Panel, through its underground market, the W3LL store for the last six years. W3LL’s phishing kit was designed to bypass multi-factor authentication (MFA) and is one of the most advanced phishing tools available on the underground market. The tools were used to successfully infiltrate around 8,000 of the 56,000 corporate Microsoft 365 business email accounts that had been targeted between October 2022 and July 2023. Additionally, W3LL provided victims’ email lists, compromised email accounts, VPN accounts, compromised websites and services, and personalized phishing lures. In the last 10 months, the W3LL Store’s estimated revenue was up to $500,000.

BEC Simplified by Greatness Phishing Kit

Since November 2022, Greatness has been in the wild with significant increases in activity in December 2022 and again in March 2023. Greatness supports multi-factor authentication bypass, in addition to Telegram bot integration and IP filtering, like the W3LL Panel.

Stolen Credentials Sold in the Underground Market

More than 24 billion credentials were sold on the Dark Web in 2022, up from 2020. The price of stolen credentials depends on the account type. One example is that stolen cloud credentials cost approximately the same as a dozen doughnuts, whereas ING bank account logins sell for $4,255. Accessing the underground forums can be tough, as some operations require verification or a membership fee. In other circumstances, with the W3LL Store, new members are only accepted on the advice of existing members.

Risk of End-Users Using Stolen Credentials

End-users reusing passwords across numerous accounts can magnify the risks of stolen credentials. Threat actors pay for stolen credentials because they know that numerous people are using the same password for numerous accounts and web services, both personal and business. Regardless of how strong a company’s security is, it’s possible to prevent the reuse of legitimate credentials stolen from another account.

Stealing Credentials Motivated by Financial Gain

Threat actors who have stolen account credentials can use the compromised email account to spread malware, steal data, impersonate the account owner, and carry out other malicious acts. However, the threat actors that steal credentials aren’t always the ones who use the information. Financial gain is the primary cause for 95% of breaches. Threat actors will sell stolen credentials on underground forums for a fee to other threat actors, who will use them weeks or months later. Meaning that stolen credentials will continue to fuel underground markets in the future. What precautions companies can take to protect users’ credentials?

With threat operators looking to evolve their phishing and social engineering tactics and methods to steal more login information, companies need to be alert of the current threat landscape and regularly change the password on accounts. At SpearTip, our phishing assessments test and educate personnel at the client organization. This is done by sending them non-malicious phishing emails, observing their responses, and providing a short training video on the dangers of phishing and how to spot it. SpearTip offers phishing and social engineering training as mitigation to enhance skills related to defending against these threats. The training tests the discernment of companies, educates employees regarding common phishing tactics and indicators, and identifies related security gaps in their environment. Our team creates phishing emails and social engineering simulations like those threat actors use and sends them throughout the organization. We provide insight and feedback to improve the cyber defenses of companies, leading to a profound decrease in the likelihood of being victimized by phishing or social engineering scams. After the training, our team provides precise and thorough strategies about how to harden their environment and implement ongoing awareness training.

If your company is experiencing a breach, call our Security Operations Center at 833.997.7327 to speak directly with an engineer.


Connect With Us

Featured Articles

DNS Tunneling
DNS Tunneling: New Tactic To Scan Networks and Track Victims
10 June 2024
Mastermind Behind LockBit Ransomware
Mastermind Behind LockBit Ransomware Unveiled and Charged
07 June 2024
Unchecked User Privileges
Unchecked User Privileges: How to Counter
03 June 2024
Cloud Migration
Cloud Migration Impact on Network Security
28 May 2024

See ShadowSpear in Action

Identify, neutralize, and counter cyberattacks - provide confidence in your security posture

Frequently Asked Questions

What measures can individuals and organizations take to protect themselves from phishing attacks and the sale of stolen credentials on the dark web?

Individuals and organizations can take various measures to protect themselves from phishing attacks and the sale of stolen credentials on the dark web. Some of the measures include using strong and unique passwords, enabling multi-factor authentication, educating employees and users on how to spot and avoid phishing attempts, implementing security software and firewalls, monitoring and analyzing network traffic, and staying up-to-date on the latest security threats and trends.

What are some common methods used by threat operators to obtain user credentials through phishing?

Threat operators use various methods to obtain user credentials through phishing. Some of the common methods include sending fake emails or messages that impersonate legitimate organizations or individuals, creating fake websites that look like legitimate ones to trick users into providing their login credentials, and using social engineering tactics to manipulate users into giving away sensitive information. Threat operators may also use malware or other techniques to intercept user credentials as they are entered into legitimate websites.

How do cybercriminals typically profit from selling stolen credentials on the dark web, and what kind of information do they typically target?

Cybercriminals profit from selling stolen credentials on the dark web by using them to gain unauthorized access to sensitive data and systems, or by selling them to other cybercriminals who can use them for similar purposes. The information that cybercriminals typically target includes usernames, passwords, credit card numbers, social security numbers, and other personally identifiable information that can be used for identity theft or fraud. Cybercriminals may also target login credentials for specific websites or services that have a high value on the black market.

Stay Connected With SpearTip

Inside the SOC Newsletter

View our articles that cover trending topics in cybersecurity with insights from our 24/7/365 Security Operations Center.

ShadowSpear Platform

Cybersecurity actors are working around the clock, shouldn’t your security team be too? Technology solutions and security controls fail for a number of reasons, poor deployment, improper implementation, or just no one monitoring the alerts.

ShadowSpear Demo

Experience ShadowSpear for yourself. Our lightweight, integrated solution will help you sleep easier at night and provide immediate confidence in your security posture.