How Hackers Phish for Your Users’ Credentials and Sell Them

Account credentials, a popular initial access vector, have become a valuable commodity in cybercrime. As a result, a single set of stolen credentials can put your organization’s entire network at risk.

According to the 2023 Verizon Data Breach Investigation Report, external parties were responsible for 83 percent of breaches that occurred between November 2021 and October 2022. Forty-nine percent of those breaches involved stolen credentials.

How are threat actors compromising credentials? Social engineering is one of the top five cybersecurity threats in 2023. Phishing, which accounts for %of social engineering attempts, is the go-to method for stealing credentials. It’s a relatively cheap tactic that yields results.

As phishing and social engineering techniques become more sophisticated and the tools become more readily available, credential theft should become a top security concern for all organizations if it already isn’t one.

Phishing has evolved

With phishing and social engineering in general, threat actors are looking beyond using just emails:

• Phishing campaigns are now multi-channel attacks that have multiple stages. In addition to emails, threat actors are using texts and voicemail to direct victims to malicious websites and then using a follow-up phone call to continue the ruse.
• Threat actors are actively targeting mobile devices. Credentials can be compromised because users can be fooled by social engineering tactics across different apps. Half of all personal devices were exposed to a phishing attack every quarter of 2022.
• AI has become a factor. AI is being used to make phishing content more credible and to widen the scope of attacks. Using victim research data, AI can createpersonal phishing messages and then refine those messages to add a veneer of legitimacy to get better results.

PhaaS is the road to stolen credentials

Still, not much is really needed to begin stealing credentials. Phishing has become good business as threat actors fully embrace the phishing-as-a-service (PhaaS) model to outsource their expertise to others. With the phishing kits that are sold on underground forums, even novices with no skills to infiltrate IT systems by themselves can have the capability to launch an attack.

PhaaS operates like legitimate SaaS businesses. There are subscription models to choose from and the purchase of a license is required for the kits to work.

Advanced phishing tools used to target Microsoft 365 accounts

W3LL’s BEC phishing ecosystem exposed

For the past six years, threat actor W3LL has been offering its customized phishing kit, the W3LL Panel, in their underground market, the W3LL Store. W3LL’s kit was created to bypass multi-factor authentication (MFA) and is one of the more advanced phishing tools on the underground market.

Between October 2022 and July 2023, the tool was used to successfully infiltrate at least 8,000 of the 56,000 corporate Microsoft 365 business email accounts that were targeted. W3LL also sells other assets, including victims’ emails lists, compromised email account, VPN accounts, compromised website and services and customized phishing lures. It is estimated that the revenue for the W3LL Store for the last 10 months was as much as $500,000.

Greatness phishing kit simplifies BEC

Greatness has been in the wild since at November 2022 with sharp jumps in activity during December 2022 and again in March 2023. In addition to Telegram bot integration and IP filtering, Greatness incorporates multi-factor authentication bypass capability like the W3LL Panel.

Initial contact is made with a phishing email that redirects the victim to a phony Microsoft 365 login page where the victim’s email address has been pre-filled. When the victim enters their password, Greatness connects to Microsoft 365 and bypasses the MFA by prompting the victim to submit the MFA code on the decoy page. That code is then forwarded to the Telegram channel so that the threat actor can use it and access the authentic account. The Greatness phishing kit can only be deployed and configured with an API key.

The underground market for stolen credentials

In 2022, there were more than 24 billion credentials for sale on the Dark Web, a increase from 2020. The price for stolen credentials varies depending on the account type. For example, stolen cloud credentials are about the same price as a dozen donuts while ING bank account logins will sell for $4,255.

Access to these underground forums can be difficult with some operations requiring verification or membership fee. In some cases, such as with the W3LL Store, new members are only allowed upon recommendation of existing members.

The dangers of end-users using stolen credentials

The risks of stolen credentials are compounded if end-users are reusing passwords across multiple accounts. Threat actors are paying for stolen credentials because they know many people, more than, use the same password across multiple accounts and web services for both personal and business purposes.

No matter how impenetrable your organization’s security may be, it can be difficult to prevent the reuse of valid credentials stolen from another account.

Financial gain is the motivation behind stolen credentials

After stealing account credentials, threat actors can distribute malware, steal data, impersonate the account owner and other malicious acts with the compromised email account. However, the threat actors who steal the credentials are often not the ones who will use the information.

Financial gain remains the main reason behind 95% of breaches. Threat actors will sell the credentials they have stolen on underground forums for a profit to other threat actors who will use them weeks or months later. This means that stolen credentials will be the driving force behind underground markets well into the future. What steps are you taking to secure user credentials in your organization?

Block compromised passwords

Eliminate the security risks of compromised passwords with Specops Password Policy with Breached Password Protection that allows you to block more than 4 billion known compromised passwords from your Active Directory. All users will be prevented from using known compromised passwords and guided towards creating a different password that fits your policy. Also, if continuous scan is activated, users will be alerted by SMS or email as soon as their password has been discovered to be compromised.

You can fortify your password infrastructure by using the custom dictionary feature that allows you to block words common to your organization as well as weak and predictable patterns. Enforce a stronger password policy that meets today’s compliance requirements with Specops Password Policy. Try it free here.