An average person uses some 191 services that require them to enter passwords or other credentials. That’s a lot to keep on top of, and it presents a problem if compromise occurs, particularly if a person uses the same credentials across multiple services, says the cyber firm Digital Shadows, in a downloadable report, titled ‘From Exposure to Takeover: The 15 billion stolen credentials allowing account takeover’.
An attacker gains access to a user’s account. This can mean an e-commerce or financial account, which is then used to conduct fraud. Such accounts are valuable to attackers, but other online services are targeted, from streaming and cable TV subscriptions to VPNs and adult websites.
Many credential harvesters target banking credentials, in large volumes―they can be highly lucrative and are in high demand on underground marketplace sites. Credential harvesters use a combination of techniques to acquire victim’s details, including man-in-the-browser attacks, which use code injection techniques to inject form fields into the user’s banking website. These fields intercept the victim’s credentials directly from their online banking portal. They’re sent to the attackers, who monetise them directly (via fraudulent transactions) or, more commonly, sell them to other threat actors seeking freshly stolen credentials.
Privileged accounts, like administrator accounts, are considered extremely valuable in the criminal underworld. Not only do they give access to a network, but they feature the highest levels of control and trust. A person using a privileged account could change system configuration settings, read and modify sensitive data, or give other users access.
The company gathered hundreds of marketplace advertisements for accounts over the past two and a half years across nine active and defunct dark web marketplaces. Banking and other financial accounts are rife; accounting for 25 percent of all the access advertisements we observed. This makes sense; when you compromise someone’s bank account, you have direct access to all their funds, plus any sensitive personal information tied to that account. Many of the bank account listings seen claimed to include the victim’s United States social security number, their physical address, their birthdate, and answers to security questions.
Even though the average cost of one banking account was just under $71, some were going for upwards of $500. The price can be influenced by many factors: if it’s confirmed to have a certain amount of funds, if it has personally identifiable information (PII) attached, and how old an account is. United States-based accounts were advertised most frequently on criminal forums and marketplaces, followed by Canada, Australia, the UK, and Germany.
An in-between also looked at by the firm is renting account access; between a criminal harvesting credentials and purchasing stolen credentials. Such a market also collects browser fingerprint data (such as cookies, IP addresses, time zones) from victims, making it easier to perform ATO and transactions that go unnoticed.
See also the firm’s blog; https://digitalshadows.com/blog-and-research/from-exposure-to-takeover-part-1-beg-borrow-and-steal-your-way-in/.
Comment
Jake Moore, cyber security specialist at ESET, said: “The dark web is notoriously easy to navigate and inexpensive personal information including passwords and bank details can be found in just a few clicks even for the inexperienced. Although it’s sad to think that our personal data will inevitably end up for sale, it is somewhat safer to assume it could which in turn may force users to make changes to their data habits.
“The current advice on passwords is that if they are all unique and long, then you should try and change them all once a year. If you are using a password manager this can be a rather simple task which helps you stay in control of your accounts and stay more secure. If passwords are convenient to the user, they are usually even more convenient to a hacker.
“Making changes to your financial details isn’t so straightforward to edit so it is worth checking your banking apps daily to monitor for any unusual activity.“
