Be it personal or professional, it's now an ordinary fact of life that people own dozens of different online accounts. From the essential to the mundane, every facet of our lives can be linked to a service that's probably tethered to its users by an account name and password.
For cybercriminals, those account names and passwords -- commonly referred to as credentials -- serve as the keys to an endless amount of kingdoms. Credentials are a core enabler of cybercriminals' ability to establish and perpetuate their operations; without a foot in the door, they would have to work remarkably harder to successfully carry out their crimes. At Intel 471, we've observed how cybercriminals use stolen credentials as a way to make money or use them in attacks where monetization occurs further downstream. It's a pattern of behavior that is a hallmark of the underground.
The use of compromised or stolen credentials to seize legitimate accounts, also known as account takeovers, is fueled by two distinct actions: credential harvesting and use of specific software tools that ultimately hijack accounts. Credential harvesting is most likely done through the use of information stealers, malware that skims for username and password information by injecting scripts into common web tools used on retail and other e-commerce platforms. Information stealers also allow for social engineering through phishing attacks that contain malicious files or links. Additionally, actors in the underground have created account-checking and brute-force tools that give all levels of criminals the ability to crack open accounts in all corners of the internet. Actors will also share various configurations of the brute-force tools that specifically target all types of services, including e-commerce payment platforms, online banking, social media and others.
Actors who use account takeovers as a way to make money have several different ways to cash out on their ill-gotten gains. Intel 471 has observed four distinct methods that are popular on the cybercrime underground: online banking fraud, fraudulent travel services, gift card fraud, and credential marketplaces. Our team has tracked a multitude of instances for each of these methods, including:
While credentials tied to accounts that directly hold monetary value will always be worth something in the cybercriminal underground, the interest in credentials tied to back-end interfaces that control websites, cloud instances, or other business-essential services is an extremely sought-after and lucrative commodity.
Intel 471 has seen a vast amount of activity around this type of transaction. Some of the instances we've observed, including:
As Intel 471 has stated before, a key cog in the cybercriminal underground is the interdependency between those who specialize in selling credentials and those looking to launch ransomware attacks. The astronomical growth in ransom payments in 2020 has helped access merchants put a premium on their services. In years past, a large ransom payout would earn attackers somewhere between five- and six-figure sums. Now, it's becoming increasingly common for attackers to demand seven- and eight-figure ransoms, partly due to the need to pay off actors that have helped them obtain access to the victim's system.
Instances show that anywhere from one week to six months after access is obtained and advertised, other known actors on various underground forums look to use or purchase that access to launch ransomware attacks. The targets run the gamut of regions and economic sectors, with the pattern playing out in ransomware attacks on every continent.
In January, Intel 471 observed an actor on a popular cybercrime forum looking to cooperate with network access brokers, offering a 20 percent cut from each successful ransomware attack. The actor allegedly preferred targeting entities based in Australia, Canada and the U.S. with an annual revenue of at least US $150 million. Once given credentials, the actor conducts multistage network attacks that include reconnaissance, privilege escalation, moving laterally, exfiltrating data and deploying ransomware.
Compromised credentials are a massive problem that often extends conversations about security beyond the posture of third-party vendors. With Intel 471's Credential Intelligence feature, It's now possible to gain coverage over this aspect of the cybercrime underground.
You can now monitor the credentials that are most important to your organization including those tied to your suppliers or vendors. With credential intelligence built into the Titan platform, your organization can now mitigate the risk of compromised credentials and proactively monitor for newly compromised credentials.
Pro-Russian hacktivism campaigns continued to be directed at countries and entities supporting Ukraine. Here's a briefing about new hacktivist groups and the risks the groups pose.
NATO's annual summit comes as member countries face a rapidly changing global security dynamic, with cyber playing a significant role.
Underground call center services are aiding threat actors in delivering malware through callback phishing and negotiating ransoms. Here's a briefing about different attack scenarios and tips for defense.
Stay informed with our weekly executive update, sending you the latest news and timely data on the threats, risks, and regulations affecting your organization.