Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

7/8/2020
05:50 PM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
100%
0%

Study Finds 15 Billion Stolen, Exposed Credentials in Criminal Markets

Data is fueling account takeover attacks in a big way, Digital Shadows says.

Cybercriminals looking to hijack online accounts belonging to consumers and organizations have an almost unlimited supply of stolen and exposed credentials they can use to try and facilitate the takeover.

New research by Digital Shadows uncovered a stunning 15 billion credentials circulating on the Dark Web and in underground marketplaces. The compromised credentials from over 100,000 breaches in recent years were associated with a wide range of accounts, including domain administrator accounts, bank and financial accounts, and social media and video-streaming service accounts.

Prices in criminal marketplaces for these credentials ranged from an average of $3,139 for domain admin accounts to $70.91 for bank accounts, $21.67 for account access for antivirus programs, and less than $10 for credentials to adult sites. Usernames and passwords for video game accounts and file-sharing sites were available for less than $2 a pop.

Credentials to high-value accounts — such as bank accounts confirmed to have a certain amount of funds or accounts with privileged access to large enterprise networks and systems — tended to fetch much higher prices. Researchers from Digital Shadows came across dozens of advertisements on underground forums for admin accounts being auctioned to bidders at prices ranging from $500 to $120,000. Many of these premium credentials had usernames — such as "invoice," "invoices," "payments," and "partners" — that suggested they were associated with financial accounts.  

"The cost of accounts can vary on their quality," says Kacey Clark, threat researcher at Digital Shadows. "Vetted, active credentials for a tried-and-tested bank account that include the victim's personal information will be more expensive than a bulk pack of streaming accounts that may or may not be active."

Overall, 25% of the ads for stolen and leaked credentials that Digital Shadows researchers encountered were for banking and other financial accounts. Other popular categories — based on the number of ads for them — included streaming accounts, proxy/VPN accounts, and cable.

"One of the main takeaways from this report [is] the sheer scale of account takeover on the cybercriminal landscape," Clark says. "Cybercriminals target the obvious gold mines of financial or internal company accounts, but they also see value in things like streaming or antivirus accounts."

Online credential theft has emerged as a major problem for consumers and businesses in recent years. Criminals have employed a variety of tactics including phishing botnets, credential stuffing, and brute-force techniques to harvest credentials to online accounts. They have then sold or used the stolen credentials to carry out a variety of malicious activity, from initiating fraudulent wire transfers from business accounts to gaining free access to streaming and gaming services. 

Mega Breaches, Mega Problems
Recent years have witnessed numerous mega breaches where tens and even hundreds of millions of credentials belonging to Internet users have been compromised. Among the most notable was one involving Yahoo, where between 500 million and 3 billion records were exposed, and one at Facebook last year, involving over 260 million records.

The threat from these breaches has been exacerbated by the tendency among a high percentage of Internet users to use the same — and often easy-to-guess — passwords across multiple accounts. Tools such as Sentry MBA and OpenBullet have also made it easier for cybercrminals to quickly test millions of username and password questions to see whether there's match, Clark says. So attackers can use credentials obtained from one breach to try and crack open other accounts.

Digital Shadows' research found the number of compromised credentials available to cybercriminals via criminal forums and marketplaces surged 300% from 2018. The vendor estimated that of the 15 billion credentials currently floating about, some 5 billion are unique, meaning they have been advertised just once on criminal forums.

One trend that Digital Shadows observed was a continued increase in the number of marketplaces renting access to compromised accounts for criminals not interested in purchasing or harvesting their own credentials. The security vendor first identified the practice in 2018.

"Account-takeover-as-a-service [ATaaS] can significantly lower the barrier to entry for cybercriminals," Clark says. Just like phishing- and malware-as-a-service, ATaaS gives cybercriminals the ability to rent a digital identity to access specific accounts. "The identity can include fingerprint data, including cookies, IP addresses, credentials, and time zones," she says.

Criminal markets, going by names such as Genesis Market, UnderWorld Market, and Tenebris, give criminals the option of renting access to different account types, including e-commerce, streaming, and social media, sometimes for prices as little as $10 for a specific period.

"These services perform the account takeover operations by using a multitude of tactics" and then rent out access to the compromised account, Clark notes. The ATaaS model is so popular that attackers on underground forms are often desperate to get invitations to these markets, Digital Shadows says.

Organizations can take multiple measures to mitigate their exposure to account-takeover attacks. Among them is the need to monitor for leaked employee credentials via sites such as "HaveIBeenPwned" and for mentions of the organization or brand on criminals forums, Digital Shadows. It's also a good idea to monitor code repositories and for leaked customer credentials the vendor.

In addition, implementing requirements for strong passwords is advised, Clark says. "Adding a security layer with multifactor authentication can significantly reduce the likelihood of your account being abused by cybercriminals," she says.

Related Content:

 

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 9/21/2020
Hacking Yourself: Marie Moe and Pacemaker Security
Gary McGraw Ph.D., Co-founder Berryville Institute of Machine Learning,  9/21/2020
Startup Aims to Map and Track All the IT and Security Things
Kelly Jackson Higgins, Executive Editor at Dark Reading,  9/22/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Special Report: Computing's New Normal
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
How IT Security Organizations are Attacking the Cybersecurity Problem
How IT Security Organizations are Attacking the Cybersecurity Problem
The COVID-19 pandemic turned the world -- and enterprise computing -- on end. Here's a look at how cybersecurity teams are retrenching their defense strategies, rebuilding their teams, and selecting new technologies to stop the oncoming rise of online attacks.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-25596
PUBLISHED: 2020-09-23
An issue was discovered in Xen through 4.14.x. x86 PV guest kernels can experience denial of service via SYSENTER. The SYSENTER instruction leaves various state sanitization activities to software. One of Xen's sanitization paths injects a #GP fault, and incorrectly delivers it twice to the guest. T...
CVE-2020-25597
PUBLISHED: 2020-09-23
An issue was discovered in Xen through 4.14.x. There is mishandling of the constraint that once-valid event channels may not turn invalid. Logic in the handling of event channel operations in Xen assumes that an event channel, once valid, will not become invalid over the life time of a guest. Howeve...
CVE-2020-25598
PUBLISHED: 2020-09-23
An issue was discovered in Xen 4.14.x. There is a missing unlock in the XENMEM_acquire_resource error path. The RCU (Read, Copy, Update) mechanism is a synchronisation primitive. A buggy error path in the XENMEM_acquire_resource exits without releasing an RCU reference, which is conceptually similar...
CVE-2020-25599
PUBLISHED: 2020-09-23
An issue was discovered in Xen through 4.14.x. There are evtchn_reset() race conditions. Uses of EVTCHNOP_reset (potentially by a guest on itself) or XEN_DOMCTL_soft_reset (by itself covered by XSA-77) can lead to the violation of various internal assumptions. This may lead to out of bounds memory a...
CVE-2020-25600
PUBLISHED: 2020-09-23
An issue was discovered in Xen through 4.14.x. Out of bounds event channels are available to 32-bit x86 domains. The so called 2-level event channel model imposes different limits on the number of usable event channels for 32-bit x86 domains vs 64-bit or Arm (either bitness) ones. 32-bit x86 domains...