What Is Credential Harvesting?

The first step in any cyberattack is gaining initial access. And one of the most common and effective methods for breaching an organization’s defenses is by using stolen credentials — the combination of username and password that authorized users employ to access protected systems and data.

Increasingly, cybercriminals are able to gather usernames and passwords en masse in so-called credential harvesting attacks, via email phishing, and other exploits. An attacker may leverage the credentials for their own exploits, trade them on the dark web — or both. Since individuals often reuse the same passwords across platforms, sites, and systems, the bad guys can use these harvested credentials to infiltrate multiple organizations and expand within their networks.

Email security protections and employee awareness training are two of the top ways to stop credential harvesting. Security vendors like Mimecast provide the means to block attackers and their malicious emails before they can reap credentials and do damage.

The Rise of Credential Harvesting

Credentials are abused in a variety of cyber incidents, ranging from web application attacks to advanced persistent threats (APTs) to denial of service (DOS) exploits, according to Verizon’s 2022 Data Breach Investigations Report (DBIR).[1] At one time, payment card data was the most common data exfiltrated in a breach, but credentials have overtaken it.

“Credentials are the favorite data type of criminal actors because they are so useful for masquerading as legitimate users on the system,” according to the DBIR. “Much like the proverbial wolf in sheep’s clothing, their actions appear innocuous until they attack.”

Indeed, stolen or compromised credentials are the most common cause of a data breach, according to IBM’s Cost of a Data Breach Report 2022. Breaches resulting from the unauthorized use of credentials cost companies an average of $4.5 million and have the longest lifecycle, the report said, with companies needing an average of around eight months to identify the infiltration and another 12 weeks to contain it.[2] 

How Credential Harvesting Works

A credential harvesting attack can take any number of forms. Think of any cyberattack vector and chances are it has been used to access valuable usernames and passwords. Attackers may use a phishing attack, sending victims an email with links to bogus websites where users will be fooled into entering their username or password. Alternatively, they can email users a malicious attachment to launch credential stealer malware widely available on the black market (a January 2022 review of two cybercriminal sites revealed 1.5 million compromised credentials were stolen using one such piece of malware[3]). Other harvesting techniques include:

• Man-in-the-middle attacks.
• Zero day attacks and other software vulnerability exploits.
• Malicious insider misconduct.
• Remote desktop protocol (RDP) attacks.
• DNS spoofing.
• Social engineering.

Once inside an organization, threat actors can take advantage of their stealth access to hunt for and harvest credentials. They can root around in private key files, registries, and system administrators’ notes and files, or they can look for credentials that are hardcoded within scripts or applications.[4]

Some cybercriminals will also place what’s called a web shell in an organization’s environment. These web-based applications provide them with the ability to interact with a system longer term, giving them the opportunity to collect additional information.

The Broad Impact of Credential Harvesters’ Attacks

Experts recommend multifactor authentication as a best practice for enterprise security, which would limit the usefulness of credential harvesting. However, the reality is that many accounts are defended only by a single username/password combo, increasing the financial value of credentials to cybercriminals.

An even bigger problem is the fact that many individuals use the same credentials to access multiple systems and web sites, professionally and personally. This persistent issue has impacts for both initial access to company networks and for the internal spread of an attack within a network.

• Initial access: Cyberattacks can use the credentials they harvest to infiltrate not just the organization from which they pilfered them, but many others. These so-called credential stuffing attacks are automated, large-scale initiatives that use stolen credentials to access user accounts on unrelated sites and systems.[5]
• Internal spread: Since a company’s employees may reuse the same password for email, collaboration platforms, and other applications used in their day-to-day work, attackers can utilize stolen credentials to hop from one to another, obtaining increased system privileges, monitoring communications and continuing to probe until they find a rich vein of data to steal or a vulnerability to exploit.

Credential Harvesting Episodes

On their own, credential harvesting attacks may not make headlines. When they are discovered, it’s usually after significant time has passed. But they are often involved at one end or the other of many high-profile cybercrimes. For example: 

• An APT actor with ties to North Korea was linked to a torrent of credential theft campaigns targeting research, education, government, media, and other organizations in North America, Russia, China, and South Korea. In late 2021, the threat actor began sending weekly emails under the names of actual policy experts, luring victims to enter their passwords and usernames on credential harvesting web pages. The ultimate aim was to breach their networks and gather intelligence.[6]
• A leading collaboration platform recently reported a phishing campaign that had targeted more than 10,000 organizations since September 2021. Stealing passwords, hijacking sign-in sessions and bypassing multifactor authentication, the attackers then launched business email compromise campaigns involving fake invoicing.[7]

How to Prevent Credential Harvesting Attacks

Organizations can protect themselves against this multifaceted threat using a layered approach:

• The human element is a vulnerability exploited by credential harvesters. Employees may click on a link and inadvertently enter their username and password on a dubious site, or trusted partners could unknowingly install credential stealing malware on your network. So, awareness initiatives and user behavior training are critical. Leading programs will enable organizations to test employees’ readiness using de-weaponized versions of real-world attacks.
• Because credential harvesting attacks are often initiated via email (with malicious links and attachments or using VIP impersonation, for example), fortifying this digital communication channel is paramount.
• Insiders can also be an avenue for threat actors to gain access to databases of credentials. An insider threat program can automate protection against malicious, compromised, or even careless insiders.

The Bottom Line

While the threat of credential harvesting looms large, there are steps any business can take to mitigate the associated risks. With the right tools and training, organizations can better protect their own credentials as well as fortify their networks against assaults that employ usernames and passwords harvested elsewhere. Read how Mimecast’s email security solutions protect against credential harvesters.

[1] “2022 Data Breach Investigations Report,” Verizon

[2] “Cost of a Data Breach Report 2022,” IBM

[3] “RedLine Stealer Identified as Primary Source of Stolen Credentials on Two Dark Web Markets,” The Record

[4] “Credential Harvesting and Initial Access: What Are They and How Can I Hit Back?”, Infosecurity Magazine

[5] “Credential Stuffing Guidelines,” International Enforcement Cooperation Working Group

[6] “North Korean Hackers Found Behind a Range of Credential Theft Campaigns,” The Hacker News

[7] “From Cookie Theft to BEC,” Microsoft