Suppose you’re a burglar who wants to break into a warehouse to steal merchandise. The only ways to enter are to squeeze through a small window that’s guarded by a burglar alarm or to steal the keys for the loading dock’s door. Which would you choose? Most burglars would choose the latter, as it’s an easier, less risky way to get into the building.
Cybercriminals are no different. Rather than devise a risky, time-consuming ploy to hack into a network that’s guarded by a security system, most cybercriminals would choose to enter through the main door by stealing the keys — the account’s username and password — for the database account.
Using stolen credentials for data breaches is very high on hackers’ tactics list. According to the 2019 Data Breach Investigations Report it’s topped only by phishing – another tactic to steal credentials.
Stealing account usernames and passwords is often referred to as credential or data harvesting. Data breaches aren’t the only reason why cybercriminals harvest information. They also use them to steal money, such as using stolen bank account credentials to pilfer money from an account, and hijack accounts, such as using stolen email account credentials to carry out Business Email Compromise, or BEC, attacks.
In addition, hackers sell harvested data on the dark web. For example, the credentials for an online payment service such as PayPal sell for $20 to $200, according to Experian.
Because of the prevalence and serious consequences of data harvesting, you need to protect your company’s account credentials. To do so, though, you first need to understand how cybercriminals steal credentials.
Although cybercriminals are constantly coming up with new ways to steal data and credentials, they often rely on a tried-and-true method: phishing emails.
According to the 2019 Global Phish Report, credential harvesting is the goal of 41% of phishing emails. These mass emails typically try to trick recipients into clicking a link that leads to a malicious web page. The page might dupe them into entering their login credentials, or it might load credential-stealing malware on their devices.
Alternatively, phishing emails might try to trick recipients into opening an attachment that includes malicious code. The code initiates a process that installs credential-stealing malware on the recipients’ devices.
Another common way hackers steal credentials is through social engineering scams. These highly personalized scams can occur via email, over the phone, and even in person. The hackers often masquerade as employees, but sometimes they pretend to be business associates (e.g., suppliers) or trusted outside authority figures (e.g., external auditors).
They spin a tale to get the target to reveal the credentials for an account. To make the tale believable, the hackers usually learn the business lingo, search the internet for information that can help them with their impersonations, and use techniques such as caller-ID or email-address spoofing to make it appear as if the call or email is from a legitimate contact.
Malware is also commonly used to steal credentials. For example, cybercriminals like to use keyloggers, which capture victims’ keystrokes. Hackers get keyloggers onto victims’ devices through phishing emails, drive-by downloads, and other means.
Digital skimmers are also becoming popular among cybercriminals. Hackers insert these malicious scripts into web tools (e.g., plug-ins) on eCommerce websites. The digital skimmers then steal credentials that visitors enter into login pages and payment information they provide in online payment forms.
Data harvesting is a serious threat to all businesses, no matter their size or industry. Measures that you can take to help keep your company’s data safe include:
In addition, you can implement other measures to reduce your company’s attack surface and strengthen its overall security defenses. For instance, you can eliminate unnecessary local accounts and follow the principle of least privilege for the remaining ones.
Synoptek’s security professionals can walk you through your options and help you develop a comprehensive strategy to defend against data harvesting and other types of cyber attacks.
Contact us to set up a consultation about your cybersecurity options.