Are your Credentials already in Cyber Criminals’ Hands?

Are your Credentials already in Cyber Criminals’ Hands?
Security - 24 November, 2020

It’s common for every digital service today to ask you to log in with a password and an email address. Social media, Streaming services, favourite news sites and work accounts all require credentials to protect user data.

One recent study[1] found the average person has between 70 and 80 accounts requiring passwords. The proliferation of passwords is not as comforting as it might appear to be. With so many to remember, it’s no surprise that people are tempted to reuse, rotate or use variations of a few passwords. But if individuals repeatedly use the same email and password combination when accessing third party services, and these services are then breached, the individuals and their organizations’ face an increased cyber security risk.

In recent years, cyber criminals have been moving from ‘spray and pray’ tactics to target individuals and specific industries. Digital footprints and social media presences help criminals identify individual employees or departments working within target companies. Mining an individual’s digital information is also used to gain access to password-protected accounts and discover credentials to further criminal activities.

The best Defence is Prevention – EXCEED ICT has partnered with Cryptoloc – the world’s safest cyber security platform. Reach out to the team at EXCEED ICT to discuss how you can have your own private Cloud, where you have complete control.

15 billion Credentials are Already Available for Cyber Criminals

The number of stolen usernames and passwords in circulation has increased by 300% since 2018. Research from Digital Shadows found there are now more than 15 billion available to cybercriminals[2]. These credentials have become commodities to be traded, or even given away, on the dark web by criminal syndicates.

For syndicates, selling compromised accounts is easier and can be more lucrative than ‘spray and pray’ attacks. The average price for the commercially traded logins was US$15.43, while credentials such as active bank account logins commanded a premium. Digital Shadows saw some banking account credentials sold for as much as US$500 depending on the funds available and the freshness of the credential theft itself.

Domain administrator accounts are among the most valuable to cyber criminals because they offer access to internal business networks. Such accounts are usually sold by auction with an average price of US$3,139 per account. In some cases, the price reached over US$120,000.

These new market dynamics give an incentive to cyber criminals to target a wider range of organisations, including small and medium-sized businesses, and not just larger enterprises. Australian charities, not-for-profits and SMBs are already being affected[3], with Australia third on the global list for most in-demand credentials behind the US and Canada[4].

The Silent Threat

According to The Federal Government’s Office of The Australian Information Commissioner, 518 breaches were notified under the Notifiable Breach scheme between January and June 2020[5]Although this figure is down 3% from 532 in the previous six months, it is up 16% on the 447 notifications received during the period January-June 2019.

It’s important to note that the threat from leaked credentials is not always obvious at first. Once hackers have credentials, they put them up for sale on the market, or they (or the party which purchases them) may lurk within the organisation’s systems, watching activity and mining more valuable data.

Full original article can be accessed here.