Numerous attack campaigns in the past couple of months have demonstrated a common tactic used by cybercriminals and state-sponsored attackers alike―credential harvesting. According to the Verizon 2017 Data Breach Investigation Report, 81% of hacking-related breaches leverage either stolen, default or weak credentials. While credential harvesting is often seen as equivalent to phishing, it uses different tactics.
Threat actors frequently target the weakest link in the attack chain, which is often considered to be the human factor. As such, most criminals look to compromise user credentials to gain access to sensitive data. In doing so, credential harvesting has become the foundation of cyber-attacks. While attackers have widely used this tactic, the end goal can vary greatly. In some cases, the credentials are used for subsequent attacks where the goal is to gain access to systems or network resources, or they can be monetized by taking over bank accounts or simply selling the information on the Darknet.
Lately, digital skimmers have become the latest technique being used for credential harvesting. While skimming was originally applied to ATM machines, threat groups like Magecart have perfected its use for the digital world. By injecting scripts into commonly used Web tools such as cloud analytics plug-ins, content management systems and online support snippets, cybercriminals can steal data that is entered into online payment forms or login pages on eCommerce sites.
Recently, Ticketmaster customers were targeted by Magecart via a third-party supplier: Inventa. The card- skimming malware was used to capture payment card data being entered into online forms on Ticketmaster’s site and then sent to a remote command and control server.
Stealing a valid credential and using it to access a network is easier, less risky and ultimately more efficient than using an existing vulnerability, even a zero-day. Cyber security defenses must adapt to this fact. User education and increasing an organization’s authentication systems are two essential steps that can minimize the risks associated with credential harvesting and subsequent cyber-attacks aimed at data exfiltration.