Credential phishing has become rife, and sophistication has grown. By using complex tactics, cyber criminals can impersonate prominent firms to obtain identifying information from unsuspecting consumers.
In this article, we discuss how credential phishing attacks are orchestrated, types of such attacks, their impacts, and prevention techniques.
What Are Credential Threats?
Credential threats refer to the various ways an attacker can gain unauthorized access to a system, network, or device by obtaining or stealing valid login information. These threats can take many forms:
1. Brute-force attacks, in which an attacker tries to guess a user’s login details by trying many username and password combinations.
2. In dictionary attacks, an attacker tries to guess a user’s login information by using a pre-defined list of common words and phrases as the password.
3. In password reuse attacks, an attacker can submit stealing credentials compromised in another breach to gain access to other systems or accounts.
4. In man-in-the-middle (MITM) attacks, an attacker intercepts communication between a user and a system and tries to steal the login details being transmitted.
How Are Credentials Compromised?
There are many ways that credentials can be compromised:
1. Malware: Malware is a set of malicious URLs or software that can be installed on your device by sending malicious links without your knowledge. It can capture your login details as you enter them, monitor your activity, and capture any sensitive personal information you enter online.
2. Unsecured websites: If you enter your login information on an unsecured phishing website (one that doesn’t use HTTPS), a hacker can intercept that information as it’s transmitted.
3. Social engineering: In this attack, a hacker tries to trick you into giving away your login details by posing as someone you trust, such as a colleague or a customer service representative.
What Are Credential Phishing Attacks?
Credential phishing is a type of cyber attack in which a hacker tries to trick the victim into disclosing sensitive information, such as corporate credentials or financial information. The attacker usually does this by sending the victim a fake email or message that appears to be from a legitimate source, such as a bank or a government agency.
When the victim enters their login credentials or other sensitive data into the fake credential phishing email or message, the attacker can capture it and send malicious links. To avoid this, it is essential to be cautious when receiving emails or messages that ask for sensitive data. Besides this, users should also verify the source’s authenticity before entering any information to protect against credential phishing.
What Happens to Phished Credentials?
Phished credentials are usually login information such as user accounts name and password, which a hacker has obtained through cyber attacks. Once the attacker has obtained phished credentials, they can use them to gain unauthorized access to a victim’s accounts. This attack technique offers unfettered access to users’ email, social media accounts, or financial accounts. These compromised accounts can be further exploited by the hacker for their malicious benefit or can be sold to other hackers over the online black market or dark web.
Types of Credential Phishing Attacks
There are several types of credential phishing attacks:
1. Spear phishing: This attack targets specific individuals or organizations to gather information about the target to create more convincing phishing links or messages.
2. Whale phishing: Hackers attempt to send an instant message to high-level executives or individuals with greater sophistication and customization to access sensitive personal information.
3. Clone phishing: In this attack, credential phishing scammers create a copy of a legitimate email or link containing attachments and send it to the victim.
4. Smishing: Hackers use SMS messages to lure victims into divulging sensitive details and downloading malicious content or clicking on a malicious link.
5. Vishing: This attack uses phone calls to trick victims into revealing sensitive personal information or transferring money.
6. Social media phishing: Hackers exploit social media platforms, such as Facebook, Twitter, and LinkedIn, to create fake profiles, orchestrate credential theft, and use them to send private phishing messages to victims.
Consequences of Falling Victim to Credential Phishing Attempts
Falling victim to a credential phishing attack can have serious consequences. If an attacker can obtain user credentials, they can submit credentials to gain access and use them for malicious purposes, such as sending a malicious link or using their email account to spread malware. Therefore, being cautious and taking steps on credential phishing prevention is essential.
Loss of Sensitive Information
Losing sensitive data can have serious consequences, depending on the type of information lost and to whom it is lost. For example, an attacker can obtain your login credentials and misuse those stolen credentials for his own benefit. It can be particularly frustrating if you use the account for essential tasks such as work or communication.
Losing sensitive business information, such as trade secrets or customers’ critical data, can have severe consequences for your business and potentially lead to financial losses. For example, an attacker can steal your personal or financial information through a cyber attack. In that case, they can make fraudulent transactions, such as stealing money from your accounts, making purchases using your account, and taking out loans or credit cards in your name.
Loss of Trust in Online Accounts
Phishing attacks can lead to a loss of trust in the overall security of the internet. If you lose trust in the security of your online services, you may be less likely to use the internet for sensitive activities, such as online banking or shopping. It can negatively impact your online experience and make you hesitant to use them in the future.
Brands Most Likely to Be Spoofed in a Phishing Attack
While almost all organizations are susceptible to such attacks, some of the most common brands include financial institutions such as banks and credit card companies, online service providers such as e-commerce websites, Google, Microsoft, and government agencies such as the IRS.
A report also suggests that more than 430,000 phishing attacks occur at least once a year, with 2% involving social networks, with LinkedIn leading the list. This is particularly because of LinkedIn’s recurring email notifications for users’ profiles and job searches, which are commonly exploited by hackers to send credential phishing emails.
Real-World Examples of a Successful Phishing Attack
There have been many high-profile cases of credential phishing attacks. Here are a few examples:
1. In 2016, a credential phishing attack targeted the email accounts of several high-level Democratic Party officials. The attack, later attributed to Russian hackers, released sensitive emails and significantly impacted the U.S. presidential election.
2. In 2017, a credential attack targeted the email accounts of several senior executives at Uber. The attackers obtained the login information of several employees and used this access to steal sensitive details on 57 million Uber riders and drivers.
3. In 2017, a credential attack targeted social media sites such as Google and Facebook employees. The attackers sent a fake website login page link or landing page to the employees and obtained the login details of many employees.
4. In 2018, a credential phishing attack targeted the email accounts of several senior executives at Marriott by sending them a credential phishing email. The attack, later attributed to Chinese hackers, compromised sensitive crucial data on up to 500 million hotel guests.
5. In 2020, a credential phishing attack targeted the email accounts of several senior executives at Twitter. The attackers obtained the login information of several employees and used this access to take control of high-profile Twitter accounts and spread false information.
Lessons to Be Learned From High-Profile Cases of Credential Phishing
Many high-profile credential phishing attempts could have been prevented or mitigated with reliable security controls measure by applying robust security protocols and processes for responding to security breaches. It includes using two-factor or multi-factor authentication, strong and unique passwords and providing security awareness training to employees on phishing awareness to recognise credential phishing emails and messages.
How to Protect Yourself From Credential Phishing Attacks?
Organizations can educate their employees about phishing attacks and how to spot them. In addition, businesses can use anti-phishing software and keep their operating systems and software up to date with the latest security versions.
Tips for Identifying Phishing Emails
Here are some tips on how to spot credential phishing:
1. Look for strange sender addresses or unfamiliar domains. Phishers often use fake sender addresses or domains similar to legitimate ones to trick people into thinking the email is legitimate.
2. Be wary of emails with urgent or threatening language. Phishers often use urgent or threatening language to get people to act quickly and without thinking.
3. Check for spelling and grammar mistakes. Legitimate organizations generally ensure that their emails are well-written and free of mistakes.
4. Be cautious of a credential phishing email that asks for personal or financial information. Legitimate organizations generally do not ask for sensitive personal information via email.
Best Practices for Creating Strong Passwords to Prevent a Credential-Based Attack
Some of the best practices for creating strong passwords:
1. Use a combination of upper and lower case letters, numbers, special characters and long passwords, ideally at least 12 characters.
2. Avoid using dictionary words, common phrases, or personal information such as your name or birthdate.
3. Businesses can create and use strict password management policies to generate and store strong, unique passwords and avoid using the same password for multiple accounts.
Being vigilant when protecting yourself from credential phishing attacks is always a good idea. Here are a few steps you can take for credential phishing prevention:
1. Enable two-factor authentication (2FA) adds an extra layer of security measures by requiring you to enter a code sent to your phone or email and your password.
2. Don’t share your login details with anyone, and be sure to log out of your accounts when you’re finished using them.
3. Regularly update your software and applications manually or automatically to ensure you have the latest security patches and to prevent security vulnerabilities.
Credential Phishing Attacks – Cheat Sheet
1. What Is ‘Employee Raises Dropbox’?
“Employee raises Dropbox” could refer to a situation where an employee raises a concern about a potential credential phishing campaign attack targeting their Dropbox account. These attacks often involve sending fake emails or creating malicious sites that appear legitimate but are designed to mislead corporate targets into entering their login information or other sensitive crucial data. Therefore, it is essential for employees to be aware of these types of attacks and to be cautious when providing their login information or other sensitive data online.
2. What are Spam Filters?
Spam filters are software programs designed to automatically identify and filter out unwanted or unsolicited phishing messages, also known as spam. It uses various techniques to identify spam messages, such as analyzing the content of the message, examining the sender’s email address, and looking for specific keywords or patterns that spam senders commonly use.
3. What Is a Phishing Site?
Phishing sites are often designed to mimic the appearance of well-known websites, such as banks, social media sites, or online shopping sites. An attacker uses fake advertisements to redirect victims to click on links leading to phishing sites.
Sudip is a Norwich, UK based Technical Writer who writes content on Cloud, DevOps and Cyber Security. He possesses more than 15 years of working experience as a Solution Architect in IT Infrastructure, and is an avid traveler and follower of sports.