Bad actors are after your credentials. By using credential harvesting attacks, cybercriminals seek to capture user credentials en masse.
Login credentials are digital keys that we use to access our medical records, financial information, and social media accounts.
So, cybercriminals will naturally use credential harvesting techniques to attempt to steal our credentials and use them for nefarious purposes.
While anyone can have their user credentials stolen online, learning about this practice, how it works, and how to prevent attacks will equip you with the knowledge to prevent such attacks.
But first letβs understand exactly what credential harvesting is and how itβs different than other cyber attacks.
Are you ready? Letβs go.
- What is Credential Harvesting?
- Credential Harvesting Attack Techniques
- Real-World Credential Harvesting Examples
- Credential Harvesting Attack Impacts
- Detection of Credential Harvesting Activities
- Preventive Measures Against Credential Harvesting
- Legal and Regulatory Considerations
- Conclusion
- Frequently Asked Questions
What is Credential Harvesting?
Credential harvesting is when a cybercriminal attempts to steal credentials en masse. This is an important distinction between credential harvesting and other types of cyber attacks.
Credential harvesting attacks donβt generally target an individual but rather a database, a company, or a stockpile of credentials that can later be sold on the dark web, used to carry out another cyber security attack, or tp steal sensitive information and money.
Wherever credentials can be found in bulk, criminals will be looking to harvest them.
Credentials of value that criminals might look to steal include:
- Passwords
- IDs
- Usernames
- Email addresses
- Cell phone numbers
- Credit card information
- Social security numbers
Credential Harvesting Attack Techniques
There are many different ways a criminal can try to steal a copious amount of valuable credentials. These are some of the most popular credential harvesting attack techniques.
Phishing
Spear pishing and whaling attacks are not considered credential harvesting attacks because theyβre more personalized and usually target only a handful of users.
However, more generic phishing attacks that involve emails sent in bulk to try to convince a user to hand over sensitive information are considered a credential harvesting tactic.
Similar attack vectors include vishing and smishing.
Keyloggers
A keylogger is a type of malware that logs your keystrokes.
That means that every time you type your ID and password into a website, itβs being recorded and sent to a command and control server where a hacker can sell it or use it to carry out a more sophisticated and targeted attack.
Fake Wi-Fi Access Points
You may be tempted to use that public Wi-Fi connection, but doing so jeopardizes the safety of sensitive information.
While you think youβre logging into a government-provided Wi-Fi as you browse the Internet in a public park or the super secure Wi-Fi connection provided by a coffee shop, you may well have logged into an insecure network.
An evil twin attack occurs when a hacker sets up an insecure network access point that impersonates a trusted network.
Once logged into this network, the cybercriminal can use a captive portal and monitor your traffic to capture your credentials.
Session Hijacking
Session hijacking occurs when a black hat hacker takes over your internet session.
Imagine being signed into your bank account when a hacker uses session-grabbing techniques to gain access to a session cookie and then your bank account and login credentials.
There are various ways a hacker may gain access to a valid computer session, including:
- Brute force attack to guess a session ID
- Cross-site scripting by injecting malicious scripts into web pages
- Tricking legitimate users into installing malware capable of hijacking an internet session
- Session fixation, where users are tricked into using a session ID controlled by a hacker
Malware and Spyware
Various types of malware can be designed and deployed to collect user credentials, but youβll most commonly see malware and spyware deployed via a phishing attack sent to thousands of users.
Once the malware is clicked, the malicious program will run, and credentials will be automatically collected.
Real-World Credential Harvesting Examples
All this can seem somewhat abstract until you see how a credential harvesting attack occurs in the real world. So, here are some examples for you to better understand what weβre dealing with.
AT&T Attack
AT&T is the largest telecommunications company in the United States. As such, it has a wealth of information that, if accessed, could be sold for a hefty profit.
Thatβs exactly what hackers did in 2021 when they gained access to the sensitive information of over 70 million customers and attempted to sell it on the dark web.
Some of the information hackers accessed included:
- Passwords
- Full names
- Email addresses
- Mailing addresses
- Phone numbers
- SS numbers
- Date of birth
- Account numbers
These stolen credentials were later being sold on the dark web for a whopping one million dollars.
The hack took place in 2021, but at the time, AT&T denied that the information accessed was their own customer data. Eventually, after the illegally accessed information resurfaced on the dark web, AT&T publicly admitted to it.
Not much is known about how the attack was carried out. However, it was revealed that sensitive information was being stored in an encrypted format that could easily be decrypted.
Roku Attack
In April 2024, it was first reported that Roku suffered a credential stuffing attack that compromised 576,000 Roku accountsβits second hack of the year.
The hackers used credentials that were made public in a seperate credential stuffing attack and used that to access the compromised Roku accounts.
Being that many users use the same passwords and login information for various accounts, these hackers were ultimately able to gain access to hundreds of thousands of accounts on other services.
The hackers were only able to make in-app purchases on about 400 accounts using the credit card on file, but they were unable to gain access to credit card information and use the customers cards to make out-of-app purchases.
As a response, Roku now requires users to create new passwords and set up two-factor authentication.
Credential Harvesting Attack Impacts
Weβve seen the impacts on individuals when compromised Roku accounts are charged for purchases they never made; but when it comes to compromised credentials, a $10 charge for renting a movie should be the least of your worries.
As weβve seen in the Roku hack, many users reuse the same login credentials across various accounts, meaning that a leaked account could gain access to a myriad of more important ones.
Once a hacker has your personal identifiable information (PII), they may decide to steal your identity, open financial accounts in your name, and commit other forms of financial fraud that could leave you in debt or with a tarnished credit score that takes years to improve.
From an organizationβs standpoint, being the victim of a data leak could be equally impactful.
IBM reported that the average cost of a data breach for a company was $4.3 million USD.
These costs come from compensating customers, creating accounts to monitor oneβs credit, fines, legal fees, and investments in new security systems.
This calculation doesnβt even take into account the revenue loss that comes from customers deciding not to use a companyβs services anymore.
Detection of Credential Harvesting Activities
We know what credential harvesting attacks are and how damaging they can be. Now itβs time to fight back and learn the best ways to detect that personal information is being stolen.
Weβve seen that not all credential harvesting attacks are the same. In fact, there are various types of harvesting attacks that a hacker may use to steal information.
This means security teams must use an array of cyber security tools and tactics to detect when information is being illegally obtained.
Here are a few detection methods companies employ to secure their data.
Data Loss Prevention (DLP)
A data loss prevention solution helps identify sensitive information and prevent it from leaving a companyβs network. This solution helps companies monitor their sensitive data, ensuring it doesnβt get into the wrong hands.
Intrusion Detection/Prevention System (IDS, IPS)
Both an IDS and an IPS monitor network traffic and flag anything that looks out of the ordinary.
The difference between these two is that while both can detect anomalous traffic, only an IPS can take a predetermined action to address it. An IDS will only alert you that suspicious traffic has been detected.
Antivirus Software
Antivirus software will use signatures to detect if you have malware on your computer.
As most credential stuffing techniques use malware to carry out an attack, itβs vital that antivirus software is used to detect and delete nefarious software.
Packet Sniffing Tools
A tool like Wireshark can be used to gain a clearer understanding of where certain information is being sent.
If an IDS has flagged unusual outbound traffic you would use a packet sniffer to further investigate and potentially find that customer data is being sent to a suspect IP address.
Security Information and Event Management (SIEM)
A SIEM captures every piece of data that circulates within your network. Every time someone logs in, changes a password, or sends data, itβs logged in the SIEM.
So, if someone attempts to escalate privileges, change a password, or make various unsuccessful attempts to gain access to informationβall behaviors associated with credential harvestingβitβll be logged and potentially reviewed at a later time.
Preventive Measures Against Credential Harvesting
While itβs important to be able to detect when youβre under attack, the best way to protect yourself is to take preventative measures.
We recommend using a defense in-depth solution and using a variety of strategies to keep your customersβ data safe.
Education and Awareness Training
You can have a whip-smart SOC team and use all the latest technology, giving your company an ostensibly solid security posture. But all this is no good if non-cyber employees lack basic cyber security knowledge.
Every employee plays a role in keeping an organization and its customers safe from cybercrime. Some cyber security awareness topics youβll want to cover include:
- How to detect a phishing attack
- Password management
- What types of information employees should not share
- Safe internet behavior
- Common social engineering tactics
- Physical security
- BYOD policies
Use of Advanced Authentication Methods
You donβt just want anyone to access company systems and information. Make sure only those with the right permissions can do so.
Keep information safe by using advanced authentication methods. More than anything, this means using multi-factor authentication to gain access to data and systems.
Itβs important that users choose solid passwords, but sometimes this isnβt enough to keep your company safe from a hack. Authenticate a second time via email, biometrics, SMS, or an authenticator app.
Regular Updates and Patch Management
The easiest and most powerful way to protect against hackers exploiting a vulnerability and hacking your company is to simply update your software.
IT companies are always finding bugs and creating patches. Itβs up to your IT and cyber security team to regularly update their systems with these security patches.
Secure Configuration
Default settings arenβt the safest. If youβre thinking that default settings on network and endpoint devices will secure your network, youβre wrong.
Out-of-the-box settings need to be adjusted to protect your network from attacks.
Legal and Regulatory Considerations
Governments worldwide understand the importance of protecting customer data. As such, they require companies to comply with a number of laws designed to pressure them to protect personal data.
Hereβs a list of laws and regulations implemented by governments around the world:
Should companies not comply with these laws, theyβll be issued stiff financial penalties.
Perhaps, two of the most impactful regulations are HIPAA and GDPR.
HIPAA, or the Health Insurance Portability and Accountability Act, is a US federal law that establishes national standards for protecting patientsβ medical records and personal health information.
This law requires companies storing health data to use specific security controls to prevent sensitive data from getting into the wrong hands.
GDPR, or the General Data Protection Regulation, is widely known as the strongest data privacy and security law ever created. It requires companies that house data from European customers to comply with a strict list of security measures.
The fines for violating GDPR are very high, reaching up to 20 million euros or 4% of a companyβs global revenueβwhichever is higher. Data owners also have the option to seek compensation for damages.
Conclusion
Credential harvesting is becoming an even more common practice as hackers continue to understand the value of customer data.
This year, IBM reported that 30% of all cyber attacks used valid credentials collected through credential harvesting efforts.
Itβs important that cyber professionals, companies, and customers understand the credential harvesting definition and how to best defend against these attacks.
Laws and regulations will keep companies in check, but ultimately keeping data safe from prying eyes is a team effort.
To learn about how credential stuffing is used to carry out devastating attacks we encourage you to join StationXβs Accelerator Program.
Here, youβll have access to over 1,000 cyber security labs and courses. Youβll also receive one-on-one support and mentorship, join a mastermind group, and team up with fellow members.
To learn more about credential harvesting, consider signing up for these courses:
Frequently Asked Questions
Level Up in Cyber Security: Join Our Membership Today!
