Anyone that underestimates the magnitude of the online credential compromise must consider the recent discovery of 16 billion exposed login credentials. Yes, that is ’billion’ with a ‘b’. The large find is made up of at least 30 massive datasets with each one containing anywhere from tens of millions to over 3.5 billion records. The collection of credentials represents a large array of services including corporate logins, VPNs, developer portals and social media accounts. Accounts from major sites such as Apple, Facebook, Google, and GitHub are among those included. While some of the 16 billion credentials were recycled old leaks or credential stuffing sets, the majority were obtained using infostealer malware.

 

What is Infostealer?

Infostealer malware is malicious software designed to quietly extract sensitive information from infected devices including login credentials, browser-stored passwords, autofill data, and personal information. Once a device becomes infected, the malicious software uses various techniques to grab the data including the capturing of keystrokes, screenshots or browser data. Infostealer usually takes advantage of exploitable vulnerabilities, phishing tactics, or browser plug-ins. Once collected, the stolen data is transmitted to remote servers controlled by cybercriminals.

 

Innately Organized

The sheer number of stolen credentials is by itself highly disturbing, however, once you get past the volume, other aspects of the collection are equally concerning. The data is remarkably fresh, with many records reflecting recent activity. This increases the likelihood that the credentials are still valid, making them prime targets for immediate exploitation.

What’s even more dangerous is that the collection includes session cookies and tokens. These let attackers get into accounts even after someone changes their password, The organized nature of the credentials is also startling as many of the credentials are organized by category or region. The organized face of the collection allows it to be easily integrated into automated tools for credential stuffing attacks.

 

The Potential Risks

Cybercriminals routinely collect, sell, and trade stolen credential collections on the dark web because these credentials are highly valuable for a wide range of malicious purposes. Recently acquired credentials can be used by attackers to immediately access and takeover personal and corporate accounts. The immense volume of email and social media accounts becomes a launching pad for targeted phishing campaigns and social engineering attacks. Corporate credentials can be used to mount BEC (Business Email Compromise) scams where attackers impersonate high level executives to trick employees into transferring funds or divulging confidential data.  Some of the credentials, such as for authentication to VPNs can provide a launching point for a Ransomware attack.

 

Prevention Measures

As the number of compromised credentials increases, the risks become greater for members of your organization. Fortunately, some of the effective measures you can take to prevent exposure to this threat are straightforward.

  • Consider using a reputable password manager to help users maintain secure credentials.
  • Avoid using passwords across multiple services so that the compromise of a single credential doesn’t expose all your services.
  • Enable Multi-Factor Authentication (MFA) to add another layer of security to your logon transactions. While it isn’t foolproof, it makes it much harder for attackers to access accounts even if credentials are compromised.
  • Do not permit users to install unauthorized browser plug-ins which can introduce infostealers.
  • Continuously monitor login attempts and activity for signs of suspicious behavior and activity. This includes things such as unusual access times, locations, or rapid failed login attempts.
  • Conduct regular security awareness training to help employees recognize phishing, social engineering, and other tactics used to steal credentials. This should include the use of simulated phishing exercises to identify which users need extra training.

Another measure to consider is to seek the guidance of an outside cybersecurity firm with expertise in this area. HALOCK has dedicated personnel who are experienced in protecting against attackers who know how to harvest and exploit credentials at scale. The massive infostealer data leak reported by Cybernews is a stark reminder of the persistent risks that organizations are exposed to everyday. Make sure you understand what those risks are and how to protect your business from them.

 

Cybersecurity & Risk News, Updates, Resources

HALOCK Breach Bulletin

Exploit Insider

Cybersecurity Awareness Posters

Review Your Security and Risk Profile