Digital Shadows (now ReliaQuest) has collected over 15 billion credentials across the open, deep, and dark web. In our recent research piece, Exposure to Takeover, we analyzed the types of alerts that we’ve sent to our clients to grasp a better understanding of the impact that account takeover (ATO) can have on organizations.
Over the past 2.5 years, we’ve identified and alerted our clients to more than 27 million exposed credentials; 27,339,059, to be exact. The credentials included usernames with associated passwords, as well as usernames on their own. As you can see in Figure 1, technology companies’ credentials represented 31 percent of the top ten sectors, followed by food-and-beverage and financial services, at 16 percent and 14 percent.
We used this data to break down the average number of exposed credentials per organization. We found that a single food and beverage organization, on average, had a whopping 87,352 credentials exposed. Education and technology organizations came in a respective second and third, with an average of just under 48,000 exposed credentials per organization.
Sure, those numbers are enormous, but it’s important to remember that they don’t all represent legitimate, active credentials. A substantial portion is inevitably expired or belongs to former employees or legacy systems. Regardless, this gives you a sense of the sheer impact that data breaches can have on just one organization. It’s unlikely that many of an organization’s exposed credentials will lead to actual ATO, but each exposure ups the chances, and the ramifications can be severe.
The fallout from a credential breach extends beyond an organization and to its customers. The relevant accounts can hold (or have access to) incredibly sensitive information. Going back to our 15-billion credential repository, we found that more than two million of them contained email addresses and usernames related to departments that deal with sensitive information―think addresses like [email protected] or [email protected].
Email addresses containing “invoice” or “invoices” were by far the most common, accounting for about 1.3 million of the 2 million credentials. “Partners” and “payments” were tied for second place, both with roughly 200,000 credentials. Just imagine the type of data sitting in accounting inboxes! An attacker who gets their hands on credentials for valid accounts could inflict untold damage: logging into internal databases, exfiltrating sensitive data, or launching social-engineering attacks (e.g., business email compromise).
Of course, not all credentials are alike – more than 80% of the credentials we found were plaintext. We had a look at the various types of exposed password hashes to understand how they had been stored. The most frequent two were MD5 and SHA1, contributing more than 80 percent of the hashed passwords. Although MD5 and SHA1 hashing algorithms provide more security than plaintext (aka unencrypted) passwords, cybercriminals can still find ways to convert hashed passwords to plaintext by using pre-computed hashes of large word lists or rainbow tables.
This risk can be circumvented by implementing a salt: a random string of characters used in conjunction with the user’s password before applying the hashing function. By deploying a dynamic salt, where an arbitrary string of characters is generated for each user and concatenated with the user’s password, the chance of attackers reversing the hash becomes significantly lower.
However, the vast majority of collected credentials (between 80 and 90 percent) weren’t even hashed, which underlines that credential theft and account takeover can be a virtual cakewalk for cybercriminals.
Protect Ya Neck (and Your Accounts)
ATO isn’t new, and there are several ways it can be thwarted (see our list at the end), but it’s worth pointing out two known mitigation methods that attackers have proven their ability to beat: CAPTCHA and 2FA.
The Concern with CAPTCHA
The initial introduction of CAPTCHA (Completely Automated Public Turing test to tell Computers and Humans Apart) aimed to hinder automated bots and malware from communicating with websites. In true form, cybercriminals found a way to bypass this website defense by deploying a variety of methods: human-assisted solving services, machine learning solutions, and automated tools (e.g., Anticaptcha, Buster) among them.
One of the reasons Sentry MBA has been so successful is that it can bypass some forms of CAPTCHA by using its optical character recognition module or a database containing a plethora of CAPTCHA images and answers.
The Failure in 2FA
Let’s be very clear: 2FA is better than just a username-password pair. But it’s now clear that it isn’t infallible. SMS message-based 2FA gets a lot of criticism for being less secure than other 2FA methods and has several well-documented issues. SIM-jacking (SMS hijacking), for example, is a type of attack that uses social-engineering methods to convince mobile network providers to transfer a victim’s mobile service to a new, attacker-controlled SIM card. Any 2FA codes are then automatically routed to the attacker.
Other attacks that target SMS-based authentication include SS7 hijacking, which involves exploiting a weakness in Signaling System No 7, allowing attackers to intercept and eavesdrop on data, texts, and locations of a mobile device, perform man-in-the-middle attacks, and use tools like “Mureana.” It’s not just SMS-based 2FA, either. Earlier this year, the “Cerberus” malware was discovered to have added the ability to bypass Google Authenticator.
Methods to bypass 2FA are commonly discussed on cybercriminal forums. For example, in December 2019, one user of Exploit created a thread to sell a process that would bypass 2FA systems at a United States-based online bank. The cybercriminal said their system would allow access to every seven to nine out of ten accounts without requiring SMS verification, and valued their offer at USD 5,000.
Besting the Takeover Artists
Becoming truly resilient to ATO requires a shift in behavior and practice, from both the organization and its employees. We offer the following guidance to put up your best defense against the ATO threat.
Monitor for leaked credentials of your employees.
- HaveIBeenPwned is an excellent resource for this, alerting you to instances of breaches and including your organization’s email domain. Although HaveIBeenPwned doesn’t provide you with passwords, it’s a great place to identify which accounts are potentially compromised.
- Code repositories can be rich with secrets and hard-coded passwords, but there are some great (free and open-source) tools, such as TruffleHog and Gitrob, that comb them for access keys, authentication tokens, and client secrets.
Monitor for references to your company and brand names on cracking forums. Configuration files for your website that are being actively shared and downloaded are reasonable indications of impending ATO attempts. Use Google Alerts for this monitoring, which identifies the risks specific to your business; Johnny Long offers some great tips to assist.
- Monitor for leaked credentials of your customers, which can enable you to respond proactively. Consider alerting any customers that have been involved in a breach, and prompting them to reset their password/s if they’ve reused credentials.
- Deploy an inline Web Application Firewall. Commercial and open-source web application firewalls, like ModSecurity, can identify and block credential stuffing attacks.
- Increase user awareness. Educate your staff and consumers about the dangers of using corporate email addresses for personal accounts and reusing passwords.
- Maintain awareness of credential stuffing tools. Keep an eye on the development of OpenBullet and others, and monitor how your security solutions protect against evolving capabilities (such as bypassing CAPTCHA).
Implement multi-factor authentication that doesn’t use SMS messages, which can help reduce ATO, but should be balanced against the friction (and cost) it can cause.