Credential theft has been a cyber-criminal staple since the early days of computing. While there have been fewer cases in the US over the past year, according to data from Blueliv we have seen a 39% spike in Europe. This massive rise should be alarming to businesses that operate in Europe, because it only takes the theft of a single credential for an attacker to wreak havoc on a company. While the particular reasons for this increase are still murky, we do have a deep understanding of credential theft in a more general sense.

Why are credentials stolen?

Like many things in the world, the motive is often money. Once a threat actor has their hands on someone’s credentials, they can gain access to their professional and personal accounts. An attacker may deliberately target certain businesses or people, but often credential theft is opportunistic and the victims tend to be those who were easiest to steal from.

Attackers have a range of opportunities to make money once they have someone’s credentials in their hands. If they are targeting an individual, they can steal their identity, drain their bank accounts, blackmail them and much more. In the case of businesses, they can use their access to steal valuable data, orchestrate fraudulent transactions, commit extortion and a host of other crimes.

In most situations, the attackers are likely to be money-motivated cyber criminals, but certain industries such as government, military and technology may also face threats from nation states. In these cases, sophisticated hacking groups may steal credentials in order to commit cyber terrorism, espionage and steal intellectual property.

Who is likely to be targeted?

Anyone can have their credentials stolen, because just about all of us have something worthwhile to steal, whether it is information, money or access. The more of these things that a person has, the more likely they are to be a target. This is particularly true for high-net-worth people, those who deal with sensitive and valuable information, or those with administrative privileges. These individuals need to be wary of their increased risk and take the appropriate precautionary measures.

Some people may get complacent and think that they aren’t important enough to be targeted. This is a dangerous attitude, because even someone with no money can have their identity stolen and have thousands of dollars of fraud committed in their name. Those who only have low levels of system access can also be used by attackers to leverage their way up. This is why everyone needs to be wary of credential theft and take precautions that are commensurate with their risk profile.

How much are credentials worth?

Sometimes hackers use the credentials themselves, but often they are stolen en-mass and sold on the darknet. Their value depends on how common, how recent and how useful the credentials are. In February, Top10VPN accessed three of the leading darknet marketplaces and averaged the going-rate for various sets of credentials.

They found that credentials for PayPal accounts with a reasonable balance were selling for an average of $247, with online banking details, debit card details and credit reports averaging $160, $67 and $35 respectively. Access to online shopping accounts ranged from $15.00 (Macy’s) to under $2 (FreshDirect), while social media logins varied from $5 (Facebook) to just over $1 (Instagram), and email logins went from just over $4 (AOL) to just over $1 (Gmail).

These figures show just how cheap it can be for a criminal to access someone’s accounts, which they can then use to blackmail victims, steal their identities or take their money. Attackers don’t even need any of their own technical skills, because they can just go to these darknet marketplaces and buy the credentials for a few dollars.

How are credentials stolen?

Credentials can be stolen in a number of different ways. These include phishing and spear phishing campaigns that trick the victims into handing over their passwords, attacks that make their way into company databases and steal huge quantities of user credentials, or by brute forcing passwords.

In the case of a database breach, criminals tend to use bots to validate large numbers of credentials and make sure that they work. They use malware to build networks of devices that can automatically attempt to log in to the accounts for them. This makes it easy for attackers to sort through the credentials and determine which ones can gain access. The attackers can then either use the credentials themselves or sell them on the darknet.

What can be done to combat credential theft?

It’s terrifying to learn just how easy it is for criminals to steal and use your credentials. The good news is that it’s relatively easy for organizations and individuals to significantly reduce the risks they face. There are several key aspects that can make dramatic differences:

Better password security

One of the biggest issues is that people and organizations have a lot of bad habits when it comes to passwords. It’s not necessarily their fault, because for years the general advice made passwords easy for computers to guess, but difficult for people to remember–like changing your password every 30 days and including symbols.

Thankfully, a more effective approach has begun to gain ground, as evidenced by the 2017 NIST Digital Identity Guidelines. These recommendations include using much longer passwords that are harder for programs to crack, but relatively easy for people to remember.

Rather than using something like ba5eBa11% which can be easy for people to mix up, it is better to take a series of unrelated words to form a password that is 25 or more characters long. By using a random word generator, people can come up with something like breadaislestudyshoutchart.

These passwords can be much simpler to remember because there are no strangely placed symbols, and users can form mental pictures for each of the words. The long string of characters gives the password significantly more entropy, which makes it harder for a hacker to brute force it.

On top of developing better passwords, users also need to be using different passwords for each of their accounts. This prevents hackers from being able to access everything once they gain access to a single account. The best way to manage such a large volume of unique passwords is to use a password manager such as KeePass.

Another important aspect of password security is to incorporate 2-factor authentication wherever possible. If an account requires a code that is sent to the user’s mobile phone, or a physical token which they hold, it makes it significantly more difficult for an attacker to gain access with stolen credentials. These extra steps form a huge hurdle, which only the most determined and well-resourced attackers can afford to surmount.

Carefully consider your security software

Website owners, organizations and individuals all need to make sure that they are aware of the security strengths and weaknesses of any software that they use. The right combination can help to prevent certain attacks, provide alerts for suspicious activity and detect threats early on.

Each individual situation will have its own risk profile and security budget, so there is no one-size-fits-all approach, but important security components can range from firewalls to next-generation threat detection that uses machine learning.

A website vulnerability scanner such as Acunetix is another key tool in the site-owners belt. They can be used to scan websites for vulnerabilities as well as prioritize and control threats. A well-tuned vulnerability scanner can help to discover threats before it’s too late. Early detection can help you to minimize or eliminate certain threats before they have had a chance to affect any of your resources.

A cohesive approach

Minimizing the risk of credential theft requires a multi-pronged strategy. Whether it is for an individual or an organization, effective password management, the right security tools and a solid framework for how threats are approached need to be in place.

Businesses need to make sure that they have an overarching security policy in place, alongside comprehensive employee training to ensure that the policy is followed. Individuals need to increase their security awareness and take a cautious approach whenever they are skeptical or uncertain. By combining these tactics, the risks of credential theft can be significantly reduced, which minimizes the chances of you or your business suffering the devastating consequences.

Josh Lake
Cyber Security Writer
Josh Lake is a writer who focuses on the intersections between technology, privacy and security. His work helps companies and individuals get the most out of technological developments, without having to sacrifice their civil liberties or open themselves up to the ever-increasing threats of cybercrime.