Credential Harvesting: It’s More Than Just Phishing and More Common Than Ever

Last Updated on September 2, 2021

According to the 2017 Verizon Data Breach Investigations Report, over 80% of hacking-related data breaches were the direct result of weak or stolen passwords. Hackers have long known that the easiest way to nab sensitive data is to obtain legitimate access credentials—and the easiest way to get access credentials is to fool users into giving them up.

This is credential harvesting.

What is Credential Harvesting?

Also known as password harvesting, it is related to phishing but uses different tactics and is not the same thing. But, as with phishing, credential harvesting attacks are constantly morphing and always on the rise.

Credential harvesting takes many forms, of which “classic” email phishing armed with links to bogus websites or malicious attachments is just one. Any or all of social engineering techniques, digital scamming and malware may be used to steal credentials. 

Credential Harvesting Attacks Are on the Rise

For example, an ingenious recent malware-as-a-service campaign uses a phishing email with a weaponized Microsoft Word document. Opening the Word doc runs a macro that downloads credential-harvesting malware. Targets don’t even know their credentials were stolen. 

The recent Reddit breach also started with password harvesting: in this case, it was two-factor authentication verification codes sent via SMS text messages (which can be hijacked at the network level). Once inside Reddit’s system, the hacker scampered off with, you guessed it, email addresses and account passwords, along with other user data. These credentials can be fed to botnets to bombard websites, or leveraged in more targeted credential harvesting campaigns.

Another major breach in recent days at UnityPoint Health in Iowa was facilitated by harvested credentials. Highly credible phishing emails, made to look like they came from a senior company executive, successfully duped multiple employees into sharing their email login credentials. This gave the hackers access to inboxes full of confidential emails and attachments, including protected health information, operational reports and more.

To cite just one more of a litany of recent breaches that begin and end with password harvesting, the UK’s National Cyber Security Centre is alerting multiple industries to a “widespread phishing campaign” powered by stolen credentials from vendors and other supply chain partners. The emails direct recipients to cloned login pages for popular services like OneDrive and Office365, from which the hackers harvest login data. This can be monetized in various ways; e.g., by accessing valuable data, raiding financial accounts or selling stolen data on the Dark Web.

What You Can Do

How can organizations address this pivotal cybersecurity problem? Cyber Liability Insurance (CLI) provider Chubb says: “After inventorying 10 years of Chubb cyber claims data in 2015, we found two key issues at the center of many claims: employee training and password management.” 

In other words, having solid cybersecurity awareness training and best-practice password management, along with (app-based/non-SMS) 2FA, are the best ways to turn a so-called “people problem” into a strength—to ensure that your users’ credentials aren’t used against you. 

Pivot Point Security is a one-stop shop for customized, online security awareness education, identity and access management (IAM) services and solutions, and whatever support you may need to reduce risk and protect your business. Contact us to talk with an expert about your InfoSec goals and concerns.

For more information, here are answers to some frequently asked questions:

What is credential harvesting?

Credential harvesting is the gathering of compromised user credentials (usernames and passwords).  Malicious individuals can find this information on sites like pastebin or on the dark web where compromised credentials are widely shared by malicious persons to gain access to sensitive data.

What does a credential harvesting attack look like?

Credential harvesting attacks can take many forms, depending on what credentials were compromised and how the hacker intends to monetize them. The most common attack uses “credential stuffing” to try to use the compromised username/password combination on thousands of popular websites. So, if you are using the same username/password on a compromised site as you are for online banking, the attack could give the hackers access to your money. Credentials are also used in many other social engineering attacks

Is credential harvesting phishing, or something different?

Credential harvesting is often seen as equivalent to phishing. In fact, credential harvesting can use a wide range of tactics besides phishing, such as social engineering techniques, malware, weaponized documents/attachments, and digital skimming via compromised third-party code in otherwise legitimate sites. Attacks that “sniff” or siphon network packets can also be used to steal credentials.

How can I prevent a credential harvesting attack?

Steps to reduce your risk from credential harvesting attack include anti-phishing training, using multi-factor authentication (MFA) wherever possible, applying application security best practices to detect malware injections and block skimming attacks via third-party web scripts and plug-ins, and using machine learning to enforce risk-based access control based on analysis of user behavior.