Cybercriminals looking to hijack online accounts belonging to consumers and organizations have an almost unlimited supply of stolen and exposed credentials they can use to try and facilitate the takeover.
New research by Digital Shadows uncovered a stunning 15 billion credentials circulating on the Dark Web and in underground marketplaces. The compromised credentials from over 100,000 breaches in recent years were associated with a wide range of accounts, including domain administrator accounts, bank and financial accounts, and social media and video-streaming service accounts.
Prices in criminal marketplaces for these credentials ranged from an average of $3,139 for domain admin accounts to $70.91 for bank accounts, $21.67 for account access for antivirus programs, and less than $10 for credentials to adult sites. Usernames and passwords for video game accounts and file-sharing sites were available for less than $2 a pop.
Credentials to high-value accounts — such as bank accounts confirmed to have a certain amount of funds or accounts with privileged access to large enterprise networks and systems — tended to fetch much higher prices. Researchers from Digital Shadows came across dozens of advertisements on underground forums for admin accounts being auctioned to bidders at prices ranging from $500 to $120,000. Many of these premium credentials had usernames — such as "invoice," "invoices," "payments," and "partners" — that suggested they were associated with financial accounts.
"The cost of accounts can vary on their quality," says Kacey Clark, threat researcher at Digital Shadows. "Vetted, active credentials for a tried-and-tested bank account that include the victim's personal information will be more expensive than a bulk pack of streaming accounts that may or may not be active."
Overall, 25% of the ads for stolen and leaked credentials that Digital Shadows researchers encountered were for banking and other financial accounts. Other popular categories — based on the number of ads for them — included streaming accounts, proxy/VPN accounts, and cable.
"One of the main takeaways from this report [is] the sheer scale of account takeover on the cybercriminal landscape," Clark says. "Cybercriminals target the obvious gold mines of financial or internal company accounts, but they also see value in things like streaming or antivirus accounts."
Online credential theft has emerged as a major problem for consumers and businesses in recent years. Criminals have employed a variety of tactics including phishing botnets, credential stuffing, and brute-force techniques to harvest credentials to online accounts. They have then sold or used the stolen credentials to carry out a variety of malicious activity, from initiating fraudulent wire transfers from business accounts to gaining free access to streaming and gaming services.
Mega Breaches, Mega Problems
Recent years have witnessed numerous mega breaches where tens and even hundreds of millions of credentials belonging to Internet users have been compromised. Among the most notable was one involving Yahoo, where between 500 million and 3 billion records were exposed, and one at Facebook last year, involving over 260 million records.
The threat from these breaches has been exacerbated by the tendency among a high percentage of Internet users to use the same — and often easy-to-guess — passwords across multiple accounts. Tools such as Sentry MBA and OpenBullet have also made it easier for cybercrminals to quickly test millions of username and password questions to see whether there's match, Clark says. So attackers can use credentials obtained from one breach to try and crack open other accounts.
Digital Shadows' research found the number of compromised credentials available to cybercriminals via criminal forums and marketplaces surged 300% from 2018. The vendor estimated that of the 15 billion credentials currently floating about, some 5 billion are unique, meaning they have been advertised just once on criminal forums.
One trend that Digital Shadows observed was a continued increase in the number of marketplaces renting access to compromised accounts for criminals not interested in purchasing or harvesting their own credentials. The security vendor first identified the practice in 2018.
"Account-takeover-as-a-service [ATaaS] can significantly lower the barrier to entry for cybercriminals," Clark says. Just like phishing- and malware-as-a-service, ATaaS gives cybercriminals the ability to rent a digital identity to access specific accounts. "The identity can include fingerprint data, including cookies, IP addresses, credentials, and time zones," she says.
Criminal markets, going by names such as Genesis Market, UnderWorld Market, and Tenebris, give criminals the option of renting access to different account types, including e-commerce, streaming, and social media, sometimes for prices as little as $10 for a specific period.
"These services perform the account takeover operations by using a multitude of tactics" and then rent out access to the compromised account, Clark notes. The ATaaS model is so popular that attackers on underground forms are often desperate to get invitations to these markets, Digital Shadows says.
Organizations can take multiple measures to mitigate their exposure to account-takeover attacks. Among them is the need to monitor for leaked employee credentials via sites such as "HaveIBeenPwned" and for mentions of the organization or brand on criminals forums, Digital Shadows. It's also a good idea to monitor code repositories and for leaked customer credentials the vendor.
In addition, implementing requirements for strong passwords is advised, Clark says. "Adding a security layer with multifactor authentication can significantly reduce the likelihood of your account being abused by cybercriminals," she says.
- 5 Tips for Fighting Credential Stuffing Attacks
- The Evolving Threat of Credential Stuffing
- Increased Credential Threats in the Age of Uncertainty
- Credential-Stuffing Attacks Behind 30 Billion Login Attempts in 2018
- How Enterprises Are Developing and Maintaining Secure Applications