Credential harvesting, also called credential phishing, is a type of cyberattack where hackers attempt to steal confidential data like usernames and passwords to gain unauthorized access to an organization's network and systems.
Credential harvesting is often the initial step in a more sophisticated data breach. Attackers typically utilize a variety of deceitful tactics to steal information, such as phishing emails, malicious websites, and malware.
Once attackers obtain valid usernames and passwords, they will move laterally, escalate privileges, and explore the network, gaining unauthorized access to various systems, applications, and accounts within an organization's network to find or exploit valuable data. This can include email accounts, financial systems, customer databases, and more.
Credential harvesting is a common technique ransomware groups and initial access brokers (IABs) use to gain access to sensitive information, such as financial data, customer records, and intellectual property.
There are multiple ways cybercriminals can steal an organization's credentials. Here are some of the most prominent.
Attackers craft phishing emails to appear legitimate and urgent. These emails may contain alarming content, such as warnings about security breaches, account suspension, or enticing offers. Phishing emails use many forms of impersonation to create a sense of urgency and trick recipients into taking action.
Ransomware groups often use various impersonation techniques to gain trust, deceive victims, and successfully deliver their malicious payloads. Below are some common types of impersonation methods employed by ransomware groups:
Phishing emails often contain links to what looks like a legitimate website but go to a malicious website designed to steal users' credentials and other personal information. These emails may contain urgent messages, such as an essential security policy update or a warning that the user's account has been compromised and requires account verification. When victims click on the provided link, they are redirected to a fraudulent login page and prompted to enter their username and password. The victim's information is then sent to the attacker.
These websites may also deploy malware. When a user clicks on the link, it downloads and opens a malicious file. Once installed on a computer, the malware can steal users' credentials and spread to other systems.
Using initial access brokers (IABs) is a growing cybercrime trend. It helps ransomware groups and their affiliates scale faster and target more organizations simultaneously to increase their success rate. IABs sell compromised corporate networks access to other cybercriminals, such as ransomware gangs and their affiliates.
IABs act as a force multiplier for ransomware groups and affiliates by providing access to already breached networks. By outsourcing the initial access, ransomware gangs can focus on developing, maintaining, and deploying ransomware and growing affiliate operations.
Understanding the role credential harvesting plays at pivotal stages within the attack lifecycle is vital to successfully defending against cyber threats.
Reconnaissance: Before infiltrating an organization, attackers gather as much information as possible about their target to plan their campaign.
Initial Access: Ransomware groups use phishing emails, social engineering, unpatched vulnerabilities, or stolen or weak credentials to infiltrate an organization. Credential harvesting comes into play when attackers aim to acquire valid login credentials.
Escalation & Lateral Movement: Once inside the network, attackers may exploit vulnerabilities to gain higher-level access or move into other systems.
Data Exfiltration: In some cases, before deploying the ransomware, attackers exfiltrate sensitive data from the organization's systems. This data is used to pressure the victim into paying the ransom. If the victim refuses to pay, the attackers may leak the data publicly.
Ransomware Deployment, Execution, and Encryption: Once the attackers are confident in their access and have identified critical systems, they deploy the ransomware.
Impact and Recovery: The victim organization faces significant disruption, financial losses, and potential data exposure due to the ransomware attack. Recovery involves restoring systems from backups, removing malware, and sometimes negotiating with the attackers to obtain the decryption key.
Follow these best practices to avoid potential cyberattacks that use credential harvesting.
Credential harvesting is a significant threat because it preys on human psychology and trust. It relies on social engineering tactics and the assumption that victims may not thoroughly scrutinize the legitimacy of the communication they receive. To protect against credential harvesting attacks, individuals and organizations should:
Trellix Email Security prevents credential harvesting through a comprehensive and rigorous testing process that includes: