The Methodology Employed by Hackers to Phish and Monetize User Credentials

The theft of account credentials has become a valuable commodity in cybercrime, serving as a popular initial access vector. A single set of stolen credentials can put an organization’s entire network at risk. According to the 2023 Verizon Data Breach Investigation Report, external parties were responsible for 83% of breaches between November 2021 and October 2022, with 49% of these breaches involving stolen credentials. Social engineering is one of the top five cybersecurity threats in 2023, with phishing being the go-to method for stealing credentials. As phishing and social engineering techniques become more sophisticated and readily available, credential theft should become a top security concern for all organizations if it already isn’t one.

Phishing has evolved into a lucrative business for threat actors, who are increasingly embracing the phishing-as-a-service (PhaaS) model to outsource their expertise to others. With the availability of phishing kits on underground forums, even individuals with minimal skills can launch attacks. The risks associated with stolen credentials are compounded when end-users reuse passwords across multiple accounts, a practice exploited by threat actors who capitalize on the prevalence of password reuse. After obtaining account credentials, threat actors can distribute malware, steal data, or impersonate users for financial gain.

Social engineering has proven to be highly effective in compromising credentials, especially with the increased usage of mobile devices, which provide numerous channels for delivering credential-stealing phishing attacks. As attackers become more adept at launching social engineering scams, organizations need to prioritize protecting their employees across all devices to prevent initial footholds that can lead to credential compromise. The use of generative AI in social engineering attacks has further heightened concerns, as it enables threat actors to create highly convincing phishing emails and fake login screens, making it challenging for users to detect deception.

The compromise of credentials can have severe consequences for individuals and organizations, including financial loss, identity theft, and data breaches. Therefore, safeguarding against social engineering attacks and credential compromise is crucial in the current cybersecurity landscape. Threat actors are actively targeting mobile devices, and credentials can be compromised because users can be fooled by social engineering tactics. Organizations need to increase their cyber awareness and take steps to mitigate the risks associated with social engineering attacks.

Phishing has evolved

In the realm of phishing and social engineering, threat actors are expanding their tactics beyond the confines of email usage:

Phishing campaigns have evolved into multi-channel attacks, featuring multiple stages. In addition to emails, threat actors employ text messages and voicemail to guide victims to malicious websites. Subsequently, a follow-up phone call is utilized to perpetuate the deception.

Mobile devices have become a focal point for threat actors. The vulnerability of users to social engineering tactics across diverse applications makes mobile devices an attractive target for credential compromise. Notably, half of all personal devices encountered phishing attacks each quarter throughout 2022.

The introduction of artificial intelligence (AI) adds a new dimension to these attacks. AI is leveraged to enhance the credibility of phishing content and broaden the spectrum of attacks. By utilizing victim research data, AI is employed to craft personalized phishing messages. These messages are then iteratively refined, imbuing them with a veneer of legitimacy to achieve more effective results. The convergence of AI and phishing techniques signifies a shift in the strategies employed by threat actors, necessitating heightened awareness and adaptive security measures.

PhaaS is the road to stolen credentials

Despite the seeming complexity of cyber threats, the initiation of credential theft requires relatively minimal resources. Phishing, in particular, has evolved into a lucrative enterprise, with threat actors wholeheartedly embracing the phishing-as-a-service (PhaaS) model, effectively outsourcing their expertise to others. This innovative approach allows even individuals lacking the skills to independently infiltrate IT systems to wield the capability to launch sophisticated attacks, thanks to the availability of phishing kits on underground forums.

The PhaaS landscape mirrors the structure of legitimate Software as a Service (SaaS) businesses. Users can select from various subscription models, and the acquisition of a license is a prerequisite for the effective operation of the phishing kits. This commercialization of phishing services not only streamlines the process for experienced threat actors but also lowers the entry barrier for novices, enabling a broader range of individuals to partake in illicit activities without the need for deep technical expertise.

This commodification of phishing underscores the alarming democratization of cyber threats, where malicious tools and techniques are readily accessible to a diverse range of actors. The subscription-based model employed by PhaaS introduces a level of organization and business-like structure to the illicit world of cybercrime, further emphasizing the need for comprehensive cybersecurity measures to counteract the widespread availability and use of such malicious services.

Sophisticated phishing instruments employed for Microsoft 365 account targeting#
Revelation of W3LL’s Business Email Compromise (BEC) phishing ecosystem#

Over the past six years, the threat actor known as W3LL has been actively distributing its specialized phishing kit, the W3LL Panel, within the underground market it operates—the W3LL Store. This phishing kit is specifically designed to overcome multi-factor authentication (MFA) and stands out as one of the more sophisticated tools available in the clandestine world of cybercrime.

During the period spanning October 2022 to July 2023, the W3LL Panel demonstrated its efficacy by successfully infiltrating a notable 8,000 corporate Microsoft 365 business email accounts out of the 56,000 that were targeted. Notably, W3LL extends its offerings beyond the phishing kit, providing a range of other assets for sale. These include lists of victims’ emails, compromised email accounts, VPN accounts, compromised websites and services, and tailor-made phishing lures. The financial gains from the W3LL Store over the last 10 months are estimated to have reached an astonishing figure of up to $500,000.

The consistent success of the W3LL Panel in breaching corporate email accounts underscores the persistent and evolving threats posed by advanced phishing tools within the cyber underground. The diversity of assets offered by W3LL demonstrates the comprehensiveness of their illicit enterprise, emphasizing the need for heightened cybersecurity measures to counteract the lucrative operations of such threat actors.

The Greatness phishing kit streamlines Business Email Compromise (BEC) processes.

The Greatness phishing kit has emerged as a tool streamlining Business Email Compromise (BEC) operations. Its presence in the cyber landscape dates back to November 2022, with notable spikes in activity observed in December 2022 and again in March 2023. Offering features such as Telegram bot integration and IP filtering, Greatness shares a notable trait with the W3LL Panel—an ability to bypass multi-factor authentication (MFA).

The initial point of engagement occurs through a phishing email, directing the victim to a fraudulent Microsoft 365 login page where their email address is pre-filled. Upon entering their password, Greatness establishes a connection with Microsoft 365, skillfully evading MFA by prompting the victim to submit the MFA code on a decoy page. This code is then relayed to a Telegram channel, providing the threat actor with the means to access the authentic account. It is crucial to note that the deployment and configuration of the Greatness phishing kit necessitate the use of an API key.

The operational timeline and tactics of the Greatness phishing kit highlight its adaptability and sophistication in navigating security measures. By exploiting the trust associated with Microsoft 365, this kit underscores the persistent evolution of phishing tools and the importance of robust cybersecurity measures to counteract these threats effectively.

The clandestine realm where pilfered credentials are traded

In the year 2022, the Dark Web witnessed an alarming surge in the availability of credentials, surpassing a staggering 24 billion, marking a significant escalation from the figures recorded in 2020. The pricing dynamics for stolen credentials exhibit considerable variability contingent upon the type of account in question. Notably, the cost of pilfered cloud credentials is relatively low, akin to the price of a dozen donuts. Conversely, access to ING bank account logins commands a significantly higher price tag, reaching as much as $4,255.

Engaging with these clandestine forums can be a challenging endeavor, with certain operations imposing stringent verification processes or necessitating the payment of a membership fee for entry. Notably, in exclusive forums like the W3LL Store, the admission of new members is restricted to those who come recommended by existing members, adding an extra layer of selectivity and control to these covert platforms. This illustrates the clandestine and guarded nature of these cybercriminal communities, reinforcing the notion that accessing and participating in these forums is not a straightforward undertaking.

The dangers of end-users using stolen credentials

The risks associated with stolen credentials become significantly heightened when end-users engage in the practice of reusing passwords across multiple accounts. Threat actors recognize the lucrative potential in acquiring stolen credentials, capitalizing on the widespread tendency of individuals to employ the same password across various accounts and online services, both for personal and business purposes.

Even with robust organizational security measures in place, preventing the reuse of valid credentials pilfered from another account remains a challenging task. The aftermath of stolen account credentials can have severe consequences, as threat actors gain the ability to distribute malware, pilfer sensitive data, assume the identity of the account owner, and engage in various other malicious activities through the compromised email account. Notably, the threat actors who initially steal the credentials may not necessarily be the ones directly utilizing the pilfered information.

Financial motivation remains the predominant driving force behind approximately 95% of security breaches. Threat actors, seeking financial gain, often opt to sell the stolen credentials on underground forums, turning a profit by providing access to other malicious actors who may exploit the information weeks or even months later. This underscores the enduring significance of stolen credentials as a driving force in underground markets, emphasizing the need for vigilant security measures to safeguard user credentials within organizations. As the prevalence of these threats persists, organizations must carefully consider and implement robust strategies to enhance the security of user credentials and mitigate potential breaches.

Block compromised passwords

Enhance the security posture of your organization by addressing the vulnerabilities associated with compromised passwords through the implementation of Specops Password Policy with Breached Password Protection. This advanced tool empowers you to proactively block over 4 billion known compromised passwords directly from your Active Directory. By incorporating this solution, all users are automatically restricted from utilizing passwords that have been identified as compromised, redirecting them to create a unique password that aligns with your established security policies. Moreover, with the activation of continuous scanning, users receive immediate notifications via SMS or email as soon as their password is detected to be compromised.

Strengthening your password infrastructure is further facilitated by the inclusion of a custom dictionary feature, enabling you to block terms specific to your organization, along with eliminating weak and easily predictable patterns. Specops Password Policy empowers you to enforce a more robust password policy, ensuring alignment with contemporary compliance requirements. Experience the capabilities of Specops Password Policy by availing of a free trial, providing you with the opportunity to assess its efficacy in fortifying your organization’s password security. Take proactive steps to safeguard your digital assets by exploring Specops Password Policy and enhancing your defense against potential security threats.