Early detection of compromised credentials can greatly reduce impact of attacks

According to Blueliv’s credential detection data, since the start of 2018 there has been a 39% increase in the number of compromised credentials detected from Europe and Russia, compared to the same period in 2017 (January-May). In fact, Europe and Russia are now home to half of the world’s credential theft victims (49%).

In this podcast, Patryk Pilat, Head of Engineering and Cyberthreat Intelligence at Blueliv, talks about the report, and illustrates how these startling increases in cybercriminal success rates suggest that the credential theft industry is growing in the European region both in innovation and scope.

Here’s a transcript of the podcast for your convenience.

I’m Patryk Pilat, Head of Engineering at Blueliv, a leading cyber threat intelligence company from Barcelona. We help organizations protect themselves by giving them visibility over the Internet, giving customers all over the world, from financial to insurance to retail, super fresh actionable threat intelligence to help them reduce their cyber risk. This includes detecting millions of compromised credentials every year to help secure the infrastructure. I’m here today to talk about our latest report, which focuses on the lifecycle of these stolen credentials.

There is a growing industry in the cybercrime ecosystem focused on obtaining valid login credentials using multiple mechanisms and tools. These tools nowadays can be cheaply acquired in the underground, darknet markets and forums. And you don’t have to be a highly seasoned cybercriminal to launch an attack.

According to our credential detection data, since the start of 2018 up until the end of May, there has been a 39 percent increase in the number of compromised credentials that we have detected from Europe and Russia, compared to the same period in 2017. In fact, Blueliv’s observations conclude that Europe and Russia make up half of the world’s credential theft victims.

We also found that when we remove Russia from the dataset, the growth figure for European theft victims jumps to 62 percent. These European growth figures tracked by us are surprisingly higher than North America’s, which recorded a decline by almost half in this period. We think that these cybercriminal success rates mean that the credential theft industry is growing in the European region, both in innovation and scope. We believe there are several reasons for this.

Firstly, there are more data stealer campaigns distributed across Europe at the moment. We also see that we are using most services online than ever before, such as cryptocurrency exchanges and other services like gaming or even gambling. There are simply more credentials that can be monetized by the bad guys.

We’ve also seen trends indicating that APTs, which are already well known for exchanging information online for targeted attacks, are continuing their collaboration at pace. In the report, we also point out that there has been a proliferation of cheap malware kits available for less skilled attackers to use.

credential theft victims

We also highlight some credential price lists. For example, stolen credentials for an e-commerce site are available from about 9 dollars, with bank account credentials varying in price depending on the account balance. They can rise up to twenty five thousand dollars for a single account, which has for example half a million deposited in it. All it takes is a single good credential for a threat actor to gain access to an organization and cause havoc. So, we have been concerned to see significant credential theft growth rates in our region.

Most of the time the motivation behind credential compromise is financial, from blackmail to ransom, selling sensitive information, to committing fraud. The end goal is usually to profit from the attack. This could be through extortion or blackmail, espionage or to cause reputational damage, or for a number of other reasons which we explore in-depth in the report.

Ultimately, any organization which holds valuable data is at risk, and so should take appropriate measures to protect themselves. So, what different measures can be taken by organizations to prevent and mitigate the impact of credential theft?

Well, there are some key things that we think that organizations should take away from this report. As with many aspects of cybersecurity, education is key to mitigating attacks. People within any organization should treat any requests for credentials as guilty until proven innocent.

The end users are always the weakest, and also the strongest link in the chain. A human touch complemented by threat intelligence is the best way to protect an organization. In fact, actionable intelligence enables organizations to block potential intrusions at the firewall level. It helps to plug holes before an attacker can get in.

This continuous cyber hygiene within an organization prevents attacks and mitigates the impact of an attack when one happens. It forces IT security teams to locate sources of breach and patch vulnerabilities in good time, with ongoing penetration testing, red teaming exercises and the like.

Now, organizations should always remember that the fresher the credential, the more likely they can be used effectively by cybercriminals. On the flipside, the sooner compromise credentials are protected the sooner security teams can remediate.

So, having ultra fresh credential information is often extremely important. The very early detection of compromised credentials, no more than a few days after they have been compromised, can massively reduce the impact of the theft. We provide deep insight into the lifecycle of the compromised credential, and have made sure that our report offers valuable guidance to all levels – from CISOs seeking to protect their business, to analysts looking for IOCs to shrink their attack surface.

Don't miss