Credential Harvesting

Numerous attack campaigns in the past couple of months have demonstrated a common tactic used by cybercriminals and state-sponsored attackers alike―credential harvesting. According to the Verizon 2017 Data Breach Investigation Report, 81% of hacking-related breaches leverage either stolen, default or weak credentials. While credential harvesting is often seen as equivalent to phishing, it uses different tactics.

Threat actors frequently target the weakest link in the attack chain, which is often considered to be the human factor. As such, most criminals look to compromise user credentials to gain access to sensitive data. In doing so, credential harvesting has become the foundation of cyber-attacks. While attackers have widely used this tactic, the end goal can vary greatly. In some cases, the credentials are used for subsequent attacks where the goal is to gain access to systems or network resources, or they can be monetized by taking over bank accounts or simply selling the information on the Darknet.

Lately, digital skimmers have become the latest technique being used for credential harvesting. While skimming was originally applied to ATM machines, threat groups like Magecart have perfected its use for the digital world. By injecting scripts into commonly used Web tools such as cloud analytics plug-ins, content management systems and online support snippets, cybercriminals can steal data that is entered into online payment forms or login pages on eCommerce sites.

Recently, Ticketmaster customers were targeted by Magecart via a third-party supplier: Inventa. The card- skimming malware was used to capture payment card data being entered into online forms on Ticketmaster’s site and then sent to a remote command and control server.

Mitigation Steps

  • Anti-Phishing Training: Educate users―be it consumers or corporate―about the risk of phishing and the characteristics of these attacks is an essential first step.
  • Limit Use of Third-Party Web Scripts/Plug-Ins: Exercise caution when deploying third-party Web tools. Investigate the security protocols used by these tools to determine if they’re comprehensive enough to minimize malware injections. Restricting the use of third-party Web tools must balance security with providing a differentiated customer experience.
  • Multi-Factor Authentication (MFA): Because MFA requires multiple methods for identification (something you know, something you have and something you are), it’s one of the best ways to prevent unauthorized users from accessing sensitive data and moving laterally within the network. Thus, it should be standard practice for all organizations.
  • Risk-Based Access Control: Risk-based access uses machine learning to define and enforce access policy, based on user behavior. Through a combination of analytics, machine learning, user profiles and policy enforcement, access decisions can be made in real time, ease low-risk access, step up authentication when risk is higher or block access entirely. Risk-based access control is often used in combination with MFA.


Stealing a valid credential and using it to access a network is easier, less risky and ultimately more efficient than using an existing vulnerability, even a zero-day. Cyber security defenses must adapt to this fact. User education and increasing an organization’s authentication systems are two essential steps that can minimize the risks associated with credential harvesting and subsequent cyber-attacks aimed at data exfiltration.


More Recent Blog Posts