Email Security

    7 Ways to Protect Against Credential Theft

    Most data breaches are linked to stolen credentials, costing companies millions, so credential theft protection should be a top priority.

    by Stephanie Overby

    Key Points

    • Credential theft is a costly, common, and hard-to-detect cause of data breaches.
    • Credential theft has grown in the remote work era.
    • Cybercriminals use a variety of exploits to steal credentials so companies must use a combination of defenses.

    Most data breaches don’t actually require a clever hack or exploit — just a valid username and password in the wrong hands. Data breaches resulting from credential theft (the most common type) cost companies an average of $4.5 million, according to according to a 2022 report.[1]  

    And they were some of the hardest to neutralize, taking companies an average of eight months to identify and 12 weeks to contain.

    It’s no wonder cybercriminals are keen to get their hands on as many credentials as possible. That’s fueled the rise of credential theft and harvesting attacks, with some involving the pilfering of individual login information and others stealing entire databases of authentication data.

    Large-scale credential harvesting is a form of data exfiltration whereby cybercriminals use email phishing and other exploits to gather usernames and passwords en masse. A credential harvester may then put the purloined credentials to work to steal customer data, listen in on sensitive business communications, or plant ransomware. Or, the attacker may sell the credentials on the dark web. Or both.

    An investment in credential theft or harvesting can deliver outsized returns since many people reuse their passwords across platforms, sites, and systems, giving bad guys the keys to potentially multiple organizations’ networks. Criminals may then engage in credential stuffing, using automated login tools to bombard numerous networks with the same stolen passwords, with the probability that at least some will succeed.

    Credential theft targeting individuals is another tried-and-true approach that has expanded in the remote work era. As more businesses use file-sharing services and videoconferencing applications to collaborate remotely, for example, attackers increasingly reference these sites in malicious emails to evade human detection, luring victims to URLs where they may unwittingly share their business logins. For example, a phishing email might invite the recipient to click on a malicious link to join a meeting, but the URL actually leads to a credential harvesting website.
    Credential thieves take advantage of both human and system vulnerabilities, so fending off credential theft requires a layered approach that addresses weaknesses on both fronts. Mimecast can help companies minimize the risk of credential theft in multiple ways including by securing email (a key modus operandi for credential bandits), by educating employees about the threat and their role in mitigating it, and by deploying machine learning and advanced computer vision algorithms to identify and block malicious URLs used to gather credentials. 

    A Multifaceted Threat…

    Cybercriminals can use any number of cyberattack vectors to access valuable usernames and passwords. Learning how credential theft happens helps understand the multiple methods for counteracting it. 

    Attackers might use a phishing attack, sending victims an email with links to fake websites where users will be fooled into entering their username or password for a seemingly legitimate purpose. Alternatively, they may email users a malicious attachment to launch credential stealer malware widely available on the black market. There are reportedly billions of stolen credentials on the dark web, and credential thieves have used one such piece of malware to acquire many of them.[2] Other techniques that credential harvesters can employ include man-in-the-middle attacks, zero-day attacks and other software vulnerability exploits, remote desktop protocol (RDP) attacks, social engineering, DNS spoofing, or the help of a malicious insider.

    Once inside a network, threat actors can take advantage of their stealth access to hunt for even more credentials. They can dig through private key files, registries and system administrators’ notes and files, or they check for credentials that are hardcoded within scripts or applications.[3]

    …Requires Multifaceted Protection

    Cybercriminals are coming at organizations from all angles in their attempts to amass credentials. So, organizations are best served by taking a layered approach. Seven of the most effective methods to help prevent credential theft include:

    1. Implementing AI-enabled credential theft protection. Machines are harder to fool than humans. Mimecast’s email security and resilience can help stop credential theft at its source. Its sophisticated scanning uses machine learning and advanced computer vision algorithms to detect anomalies in the branding, login, or payment form information that appears in phishing emails and web pages. The analysis is much more precise than that of the human eye, capable of detecting even a single pixel’s difference from a safe web site. Depending on the level of risk calculated, the system either warns users of the potential issue or blocks access to the page. Because it is powered by machine learning, the system gets better at detection over time.
    2. Investing in awareness initiatives and user behavior training. Credential harvesters depend on human weakness as much as system vulnerabilities. Employees may be fooled into clicking on a malicious link and enter their credentials on a dubious site, or trusted contractors could inadvertently install credential stealing malware on your network. Leading programs will enable organizations to test employees’ readiness using de-weaponized versions of real-world attacks. Awareness and training around good password hygiene is also key to keep employees from reusing passwords or leaving credentials unprotected.
    3. Enforcing identity and access management. A high-profile September 2022 attack on a ride-sharing company underscored the importance of setting up adequate privileged access management (PAM). In the case at hand, the hacker is said to have initially accessed the company’s systems using credentials obtained via social engineering.[4] Once inside the company’s intranet, the intruder located access management credentials that were hard coded within PowerShell scripts, granting access to the company’s applications in the cloud. Keeping all privileged accounts protected is critical to prevent this kind of credential harvesting. Rather than allowing the hardcoding of admin passwords, companies can employ password vaults to help users create different passwords for each use, for example, and store and use passwords safely. Granting the least privileges necessary to access network and data assets is another cornerstone of PAM. Security tools can also identify signals such as physical location, device used, or application being accessed, and then apply preset, conditional access policies based on those parameters.
    4. Considering multi-factor authentication (MFA). While multi-factor authentication does not directly prevent the collection of network or application credentials, it can thwart their use. Rather than just requiring a username or password, MFA compels a user to provide one or more additional verification factors (e.g., a code sent by text to a cell phone, answers to personal security questions) in order to access an application, online account, or VPN. However, there is an emerging cybercrime tactic called “MFA fatigue/MFA spam” to factor in when deploying MFA. In this new twist on credential collecting, attackers will flood a user with false MFA verification requests via email, text, or messaging platforms in the hopes that the user will be overwhelmed or annoyed enough to finally (or accidentally) provide the authentication information.[5]
    5. Introducing and enforcing a bring your own device (BYOD) policy. The use of personal devices to perform work creates additional risk of credential theft, particularly if employees have their credentials saved on their cell phones or laptops. Every organization should have a policy outlining security controls and what users can and can’t access from personal devices.
    6. Analyzing user behaviors. Monitoring employee activity can ensure that they handle their credentials and access properly. There are tools available to analyze behavioral patterns and identify abnormal or unexpected actions that may indicate malicious or inadvertent exposure of credentials.
    7. Monitoring for insider threats. Employees, contractors, and partners are all prime targets for threat actors seeking access to entire databases of credentials. Most attacks (credential harvesting or otherwise) only begin from the outside. Once attackers are in, they often seek to expand their access using a compromised email account or remote access malware. One tactic is to send an internal email as an employee to spread the attack laterally within the organization or even to external contacts. More than a quarter (27%) of security professionals interviewed for Mimecast’s State of Email Security 2022 report said they had been hit by an attack that spread from an infected user to other employees using stolen credentials. An insider threat program can automate protection against malicious, compromised, or even careless insiders.

    The Bottom Line 

    Going in the front door is easier than the back door, so the market for stolen credentials is unlikely to cool anytime soon. Companies that take advantage of the full suite of advanced protections and training available will be best equipped to battle this persistent threat. Read more about how Mimecast’s AI-powered detection, security awareness training, and insider threat program can help.


    [1]Cost of a Data Breach Report 2022,” IBM

    [2]  “RedLine Stealer Identified as Primary Source of Stolen Credentials on Two Dark Web Markets,” The Record

    [3]Credential Harvesting and Initial Access: What Are They and How Can I Hit Back?”, Infosecurity Magazine

    [4]Uber apparently hacked by teen, employees thought it was a joke,” The Verge

    [5]MFA Fatigue: Hackers’ new favorite tactic in high-profile breaches,” BleepingComputer

    Subscribe to Cyber Resilience Insights for more articles like these

    Get all the latest news and cybersecurity industry analysis delivered right to your inbox

    Sign up successful

    Thank you for signing up to receive updates from our blog

    We will be in touch!

    Haut de la page