According to Blueliv’s credential detection data, since the start of 2018 there has been a 39% increase in the number of compromised credentials detected from Europe and Russia, compared to the same period in 2017 (January-May). In fact, Europe and Russia are now home to half of the world’s credential theft victims (49%).
When Russian credential victims are removed from the dataset, this year-over-year comparison jumps to 62%. The Eurasian growth figures tracked by Blueliv are surprisingly higher than North America’s, which actually recorded a decline by almost half (48%) year over year.
These startling increases in cybercriminal success rates suggest that the credential theft industry is growing in the European region both in innovation and scope.
“All it takes is a single good credential for a threat actor gain access to an organization and cause havoc, so as a European threat intelligence company, we are concerned to see significant credential theft growth rates in our home territory. Cybercriminals are constantly improving their weaponry and TTPs – industry collaboration and intelligence-sharing around these is crucial,” said Daniel Solís, CEO at Blueliv.
Malware families neck-and-neck
The report also observes some interesting trends in malware families being used to harvest these credentials. Pony, KeyBase and LokiPWS (also known as Loki Bot) have consistently been the most active stealers since the start of 2017, but Pony has always been several lengths ahead of its malware counterparts in terms of popularity. However, since the start of 2018, Blueliv has observed that LokiPWS has been narrowing the gap: the highest number of stealer samples detected by Blueliv’s infrastructure each month has now become a two-horse race between LokiPWS and Pony.
In fact, LokiPWS malware distribution has increased by more than 300% in the past year. More recently, since January to May 2018, there has been a 167% increase in samples classified by Blueliv. Currently, it is possible to purchase LokiPWS from a variety of underground markets as a modular product (stealer, wallet stealer and loader) with prices ranging between $200-400, depending on the desired functionality.
Overview of detected samples per family in the past six months
Daniel Solís continued, “According to our analyst team, the number of LokiPWS samples detected implies that its popularity among cybercriminals is increasing. Source code leaks of different versions of in recent years have probably influenced this increase and helped it become one of the fastest-growing credentials stealer families. Pony meanwhile has been active since 2011, and might be experiencing ‘fatigue’ through more successful detection and remediation.”