According to the 2017 Verizon Data Breach Investigations Report, over 80% of hacking-related data breaches were the direct result of weak or stolen passwords. Hackers have long known that the easiest way to nab sensitive data is to obtain legitimate access credentials—and the easiest way to get access credentials is to fool users into giving them up.
This is credential harvesting.
What is Credential Harvesting?
Also known as password harvesting, it is related to phishing but uses different tactics and is not the same thing. But, as with phishing, credential harvesting attacks are constantly morphing and always on the rise.
Credential harvesting takes many forms, of which “classic” email phishing armed with links to bogus websites or malicious attachments is just one. Any or all of social engineering techniques, digital scamming and malware may be used to steal credentials.
Credential Harvesting Attacks Are on the Rise
For example, an ingenious recent malware-as-a-service campaign uses a phishing email with a weaponized Microsoft Word document. Opening the Word doc runs a macro that downloads credential-harvesting malware. Targets don’t even know their credentials were stolen.
The recent Reddit breach also started with password harvesting: in this case, it was two-factor authentication verification codes sent via SMS text messages (which can be hijacked at the network level). Once inside Reddit’s system, the hacker scampered off with, you guessed it, email addresses and account passwords, along with other user data. These credentials can be fed to botnets to bombard websites, or leveraged in more targeted credential harvesting campaigns.
Another major breach in recent days at UnityPoint Health in Iowa was facilitated by harvested credentials. Highly credible phishing emails, made to look like they came from a senior company executive, successfully duped multiple employees into sharing their email login credentials. This gave the hackers access to inboxes full of confidential emails and attachments, including protected health information, operational reports and more.
To cite just one more of a litany of recent breaches that begin and end with password harvesting, the UK’s National Cyber Security Centre is alerting multiple industries to a “widespread phishing campaign” powered by stolen credentials from vendors and other supply chain partners. The emails direct recipients to cloned login pages for popular services like OneDrive and Office365, from which the hackers harvest login data. This can be monetized in various ways; e.g., by accessing valuable data, raiding financial accounts or selling stolen data on the Dark Web.
What You Can Do
How can organizations address this pivotal cybersecurity problem? Cyber Liability Insurance (CLI) provider Chubb says: “After inventorying 10 years of Chubb cyber claims data in 2015, we found two key issues at the center of many claims: employee training and password management.”
In other words, having solid cybersecurity awareness training and best-practice password management, along with (app-based/non-SMS) 2FA, are the best ways to turn a so-called “people problem” into a strength—to ensure that your users’ credentials aren’t used against you.
Pivot Point Security is a one-stop shop for customized, online security awareness education, identity and access management (IAM) services and solutions, and whatever support you may need to reduce risk and protect your business. Contact us to talk with an expert about your InfoSec goals and concerns.
Don't Get Hooked!
Phishing emails are tricky. Based on our Cyber Security Awareness Taining material, the 10 Tips for Detecting Phishing Emails infographic provides a cheatsheet of what to look for in unfamiliar emails.
