When you experience a breach, time is crucial. Our 24/7 Security Operations Center responds immediately with precision to eliminate the threat and restore operations.
ShadowSpear® is an unparalleled resource that defends your organizations against advanced cyber threats and attacks 24/7/365.
Your organization has cybersecurity weaknesses and vulnerabilities you don’t yet even know about. They need to be found and found immediately. If you don’t someone else will.
Account credentials, a common initial access vector, have become a desirable commodity in cybercrime. It can result in a single set of stolen credentials being used to compromise companies’ entire network. A 2023 Data Breach Investigation Report revealed that external groups were responsible for 83% of breaches between November 2021 and October 2022 and 49% of the breaches involved stolen credentials. How can threat actors compromise credentials? Social engineering was among the top five cybersecurity threats in 2023. Phishing accounted for majority of social engineering attempts and was the primary method for stealing credentials in 2023 and was an inexpensive strategy that produced results. With phishing and social engineering techniques continuing to advance and tools becoming more widely available, credential theft needs to be the top security concern for companies.
The Evolution of Phishing
With phishing and social engineering, threat actors are aiming beyond using only emails:
Stealing Credentials Using PhaaS Model
Not much is required to start stealing credentials. Phishing has become a profitable industry as threat actors are completely utilizing the phishing-as-a-service (PhaaS) model of outsourcing their skills to others. With the phishing kits available on underground forums, beginners who can’t access IT systems on their own can launch attacks. PhaaS functions in the same way as legitimate SaaS businesses do with several subscription models and purchasing a license is required for the kits to function.
Microsoft 365 Accounts Targeted by Advanced Phishing Tools – Threat Actor’s BEC Phishing Ecosystem Exposed
Threat actor W3LL has been selling their customized phishing kit, the W3LL Panel, through its underground market, the W3LL store for the last six years. W3LL’s phishing kit was designed to bypass multi-factor authentication (MFA) and is one of the most advanced phishing tools available on the underground market. The tools were used to successfully infiltrate around 8,000 of the 56,000 corporate Microsoft 365 business email accounts that had been targeted between October 2022 and July 2023. Additionally, W3LL provided victims’ email lists, compromised email accounts, VPN accounts, compromised websites and services, and personalized phishing lures. In the last 10 months, the W3LL Store’s estimated revenue was up to $500,000.
BEC Simplified by Greatness Phishing Kit
Since November 2022, Greatness has been in the wild with significant increases in activity in December 2022 and again in March 2023. Greatness supports multi-factor authentication bypass, in addition to Telegram bot integration and IP filtering, like the W3LL Panel.
Stolen Credentials Sold in the Underground Market
More than 24 billion credentials were sold on the Dark Web in 2022, up from 2020. The price of stolen credentials depends on the account type. One example is that stolen cloud credentials cost approximately the same as a dozen doughnuts, whereas ING bank account logins sell for $4,255. Accessing the underground forums can be tough, as some operations require verification or a membership fee. In other circumstances, with the W3LL Store, new members are only accepted on the advice of existing members.
Risk of End-Users Using Stolen Credentials
End-users reusing passwords across numerous accounts can magnify the risks of stolen credentials. Threat actors pay for stolen credentials because they know that numerous people are using the same password for numerous accounts and web services, both personal and business. Regardless of how strong a company’s security is, it’s possible to prevent the reuse of legitimate credentials stolen from another account.
Stealing Credentials Motivated by Financial Gain
Threat actors who have stolen account credentials can use the compromised email account to spread malware, steal data, impersonate the account owner, and carry out other malicious acts. However, the threat actors that steal credentials aren’t always the ones who use the information. Financial gain is the primary cause for 95% of breaches. Threat actors will sell stolen credentials on underground forums for a fee to other threat actors, who will use them weeks or months later. Meaning that stolen credentials will continue to fuel underground markets in the future. What precautions companies can take to protect users’ credentials?
With threat operators looking to evolve their phishing and social engineering tactics and methods to steal more login information, companies need to be alert of the current threat landscape and regularly change the password on accounts. At SpearTip, our phishing assessments test and educate personnel at the client organization. This is done by sending them non-malicious phishing emails, observing their responses, and providing a short training video on the dangers of phishing and how to spot it. SpearTip offers phishing and social engineering training as mitigation to enhance skills related to defending against these threats. The training tests the discernment of companies, educates employees regarding common phishing tactics and indicators, and identifies related security gaps in their environment. Our team creates phishing emails and social engineering simulations like those threat actors use and sends them throughout the organization. We provide insight and feedback to improve the cyber defenses of companies, leading to a profound decrease in the likelihood of being victimized by phishing or social engineering scams. After the training, our team provides precise and thorough strategies about how to harden their environment and implement ongoing awareness training.
If your company is experiencing a breach, call our Security Operations Center at 833.997.7327 to speak directly with an engineer.
Identify, neutralize, and counter cyberattacks - provide confidence in your security posture
Individuals and organizations can take various measures to protect themselves from phishing attacks and the sale of stolen credentials on the dark web. Some of the measures include using strong and unique passwords, enabling multi-factor authentication, educating employees and users on how to spot and avoid phishing attempts, implementing security software and firewalls, monitoring and analyzing network traffic, and staying up-to-date on the latest security threats and trends.
Threat operators use various methods to obtain user credentials through phishing. Some of the common methods include sending fake emails or messages that impersonate legitimate organizations or individuals, creating fake websites that look like legitimate ones to trick users into providing their login credentials, and using social engineering tactics to manipulate users into giving away sensitive information. Threat operators may also use malware or other techniques to intercept user credentials as they are entered into legitimate websites.
Cybercriminals profit from selling stolen credentials on the dark web by using them to gain unauthorized access to sensitive data and systems, or by selling them to other cybercriminals who can use them for similar purposes. The information that cybercriminals typically target includes usernames, passwords, credit card numbers, social security numbers, and other personally identifiable information that can be used for identity theft or fraud. Cybercriminals may also target login credentials for specific websites or services that have a high value on the black market.
24/7 Breach Response: US/CAN: 833.997.7327
Main Office: 800.236.6550
1714 Deer Tracks Trail, Suite 150
St. Louis, MO 63131
©2024 SpearTip, LLC. All rights reserved.