Credential Theft Phishing: Its Rise, Risks, and Solutions

Credential theft via email phishing has become a distressingly widespread problem—and is being exacerbated by the disruptions caused by the COVID-19 pandemic. Because users often reuse credentials across multiple sites, stolen credentials can be used to break into corporate email systems or other assets, placing both individuals and organizations at growing risk. According to Verizon’s 2019 Data Breach Investigations Report[1], 29% of corporate security breaches involve the use of stolen credentials.

COVID-19 Spoofed Sites and Email Scams

The COVID-19 pandemic triggered a wave of credential phishing attacks that prey on users’ anxieties and need for information. Part of the reason is that such phishing attacks can be launched at relatively low cost and effort, compared with more complex malware exploits—so as long as they are effective, attackers will use them.

In spring 2020, Mimecast saw massive growth in coronavirus-themed spoofed websites focused on up-to-the-minute user concerns about infection protection and testing, financial assistance for the unemployed, changes in tax deadlines and rules, and the status of IRS economic impact payments. Email phishing scams driving people towards such fake websites also grew rapidly.

In addition, Mimecast saw over 500 suspicious domains impersonating Netflix and other streaming media sites, including Disney+, Amazon Prime Video, and YouTube TV. Often, such sites request credit card information, but they may also request crucial personal identification such as social security numbers or install malware that seeks to harvest end-user credentials.

In many cases, these fake websites ask individuals to enter their pre-existing “official” login details, or offer them a free subscription if they create a new account and login. These credentials can then be sold or used to access other systems. As Thom Bailey, Sr. Director, Product/Strategy at Mimecast noted: “Unfortunately, people often use the same usernames and/or passwords across different sites—so they may use the same credentials for business or personal logins.”

The Risks of Password Reuse

A Google/Harris 2019[2] survey found that 52% of respondents reuse the same password for multiple accounts, and another 13% use the same password for all their accounts.

This obviously creates risk for the individual: cybercriminals can attempt to break into users’ financial websites by using the same password, user ID, and related combinations. But it also creates serious risk for your organization. Cybercriminals may log onto your company’s email servers or other systems using stolen credentials that appear legitimate, thereby evading many of your conventional defenses. Moreover, if you operate public-facing e-commerce or financial services sites, criminals with legitimate credentials can make fraudulent transactions – and that’s both a financial and reputational risk.

Even if users carefully avoid spoofed websites and email phishing attacks, indiscriminate password reuse still increases risk, due to the massive credential thefts associated with major data breaches. When hackers steal and share email/password pairs from any site, they can run credential stuffing attacks to discover where else those pairs (or similar combinations) might also work. To support such attacks, large databases of stolen credentials continue to be sold on the dark web or other venues such as Discord. For example, over a half-million Zoom account credentials were available for purchase in April 2020, according to media reports.[3]

What You Can Do About Credential Theft

Security awareness training is a key element of the basic “blocking and tackling” that organizations need to protect people and assets against credential theft. Most cybersecurity executives recognize the growing sophistication of email scams, email phishing, and spoofing attacks aimed at stealing credentials. But ordinary users—who have their own worries, responsibilities, and distractions, particularly when working at home—need to be reminded regularly.

Of course, even “aware” employees can benefit from technological support to resist email scams, phishing, and other forms of social engineering. These technical measures could include:

• Email security services that flag malicious websites and prevent users from accessing them
• Scans of email headers and content to quarantine fraudulent messages, discard them, or warn users about their danger
• Wider use of multifactor authentication, so a criminal can’t enter your network with user ID and password alone
• Password vaults to help individuals create different passwords for each use, and store and utilize them safely
• Screening tools to check new or existing passwords against updated master lists of weak or compromised passwords, and “fuzzy logic” tools to prevent users from slightly updating their passwords in ways that are easy to guess
• Limiting password login attempts (but be aware that criminals can use botnets to make it appear that attempts are coming from different locations)
• Moving away from passwords altogether[4], as biometrics and technologies like the WebAuthn authentication standard begin making password-free authentication more practical

The Bottom Line

Criminals attack where it’s easiest, and where users and organizations are more vulnerable. That often involves email phishing and spoofed websites to obtain credentials that can be used to access corporate systems. To reduce your risk, utilize a layered approach combining awareness training with technical countermeasures.

[1] 2019 Data Breach Investigations Report, Verizon

[2] Online Security Survey, Google / Harris Poll, Google

[3] Stolen Zoom Credentials: Hackers Sell Cheap Access, Bank Info Security

[4] Bye Bye Passwords: New Ways to Authenticate, SANS