15 billion usernames and passwords for internet services including bank and social media accounts on offer to cyber criminals, finds new research from Digital Shadows
July 2020 by Digital Shadows
Digital Shadows reveals new research assessing how cybercriminals exploit stolen credentials for accounts that we use every day, including bank accounts, social media and video streaming services. The study, entitled From Exposure to Takeover finds there are more than 15 billion credentials in circulation in cybercriminal marketplaces, many on the dark web – the equivalent of more than two for every person on the planet. The number of stolen and exposed credentials has risen 300% from 2018 as the result of more than 100,000 separate breaches. Of these, more than 5 billion were assessed to be ‘unique’ – i.e. they have not been advertised more than once on criminal forums.
The majority of exposed account credentials belong to consumers and include usernames and passwords from bank accounts to video and music streaming services. Many account details are offered free of charge but of those on sale the average account trades for $15.43. Unsurprisingly, bank and financial accounts are the most expensive, averaging at $70.91, however they trade for upwards of $500, depending on the ‘quality’ of the account. In addition to being the most expensive, banking, and financial accounts accounted for 25% of all the advertisements analyzed.
The research also finds that access to organizations’ key systems trade at a significant premium. Usernames with “invoice” or “invoices” were by far the most common advertised and comprise 66% of the 2 million usernames assessed. “Partners” and “payments” came in a distant second and third place, both with 10% each. Dozens of advertisements for domain admin access are also advertised and in many cases are being auctioned to the highest bidder with prices ranging from $500 to $120,000 – with an average $3,139. Digital Shadows cannot confirm the validity of the data that the vendors purport to own, but listings included those for large corporations and government organizations in multiple countries.
Digital Shadows has alerted clients to 27.3 million username and password combinations in the last 18 months. Unfortunately for both consumers and business, account takeover has never been easier (or cheaper) to do for cyber criminals. A myriad of brute-force tools and account checkers are available on criminal marketplaces – and can be used with little technical expertise – for an average of $4.
Digital Shadows has also observed the growth of ‘account takeover as-a-service’ such as those advertised on Genesis Market, where rather than buying a credential, criminals can rent an identity for a given period, often for less than $10. For this price, the service collects fingerprint data (such as cookies, IP addresses, time zones) from an individual (the target), which makes it considerably easier to perform account takeovers and transactions that go unnoticed. Such is the popularity of these services that users on forums are desperate to acquire invite codes to this market.
Multi factor authentication (MFA) can offer a significant barrier to criminals however Digital Shadows found evidence that methods to bypass 2FA are also commonly discussed on cybercriminal forums. In December 2019, for example, one user on the Russian-language cybercriminal forum Exploit created a thread to sell a method designed to bypass 2FA systems at a United States-based online bank. They stated that their system would allow seven to nine out of 10 accounts to be accessed without requiring SMS verification, and that they considered their offer was worth USD 5,000.
Digital Shadows advises business to adopt the following best practice:
Monitor for leaked credentials of your employees. HaveIBeenPwned can be a useful starting point in alerting you to instances of breaches including your organization’s email domain.
Monitor for mentions of your company and brand names across cracking forums. Use Google Alerts for this – Johnny Long offers some great tips for doing so and Google alerts can provide a good identification of the specific risks to your business.
Configuration files for your website that are being actively shared and downloaded are a good indication of impending attempts at account takeover. Don’t forget other sources. Code repositories can be rich with secrets and hard-coded passwords.
Monitor for leaked credentials of your customers, allowing you to take a more proactive response. Consider alerting your customers that their email has been involved in a breach, prompting them to reset their password if they have reused credentials.
Deploy an online Web Application Firewall. Commercial and open source web application firewalls, like ModSecurity, can be used to identify and block credential stuffing attacks.
Increase user awareness. Educate your staff and consumers about the dangers of using corporate email addresses for personal accounts, as well as reusing passwords.
Gain an awareness of credential stuffing tools. Keep an eye on the development of credential stuffing tools, and monitor how your security solutions can protect against evolving capabilities. Some credential stuffing tools are able to bypass some CAPTCHAs, for example.
Some element of 2FA is always better than none but try to phase out multi-factor authentication using SMS. This can help to reduce account takeovers, but make sure this is balanced against the friction (and cost) it can cause. The Photon Research team has produced a report, Two-Factor In Review: A technical assessment of the most popular mitigation for account takeover attacks, detailing the technologies involved with 2FA, attacks against the solution, and ways to mitigate them.