Third-Party Failures: Stolen Credentials Drive 83% of Data Breaches
User credentials – logins and passwords for accessing various services – have become some of the most prized assets for cybercriminals. According to Verizon’s 2023 report, 83% of data breaches occur due to third-party faults. In these incidents, hackers predominantly use stolen credentials to gain access to company systems and networks.
Phishing, a method of social engineering, remains the most effective tool in this illicit arsenal. Victims typically receive fraudulent emails masquerading as well-known brands or government institutions, inviting them to register or log into a seemingly familiar platform. Thus, individuals unwittingly hand over their data to fraudsters, requiring no further deception.
To combat phishing, experts have developed numerous protective measures. Consequently, criminals continually refine and invent more sophisticated schemes.
In one novel tactic, a phishing email is first sent, followed by a call or voice notification from a bank or other organization, to gain the victim’s trust. Mobile applications and artificial intelligence technologies are also actively used for personalized attacks.
More experienced phishers offer their tools and proven techniques on the black market, a model known as “phishing-as-a-service” (PhaaS).
One renowned tool is the W3LL panel from the eponymous group, which even has its own dark market – the W3LL Store. This platform is designed for hacking Microsoft 365 corporate emails, bypassing multi-factor authentication, and is one of the most advanced phishing technologies in the darknet.
Researchers report that from October 2022 to July 2023, this tool compromised at least 8,000 of 56,000 Microsoft 365 accounts.
In addition to the mail hacking tool, W3LL developers also sell other valuable assets, including:
- Lists of compromised email addresses
- Access data to hacked email accounts
- Access data to compromised VPN connections
- Access to hacked websites and online services
- Ready-made templates and scripts for organizing phishing mailings
Another similar tool, Greatness, also bypasses multi-factor authentication (MFA) and targets Microsoft 365 users.
The attack begins with a phishing email, redirecting the employee to a fake Microsoft 365 login page with a pre-filled email address for authenticity. Once the individual enters their password, Greatness connects to the service and bypasses MFA, prompting the victim to enter a code on a fake page. This code is then sent to a special Telegram channel, allowing hackers to access the real account. Deploying and configuring the Greatness kit requires an API key.
In 2022, more than 24 billion compromised accounts were put up for sale in the dark net. Prices range from a few dollars for ordinary accounts to thousands of dollars for access to bank accounts.
To purchase this data, one must gain access to specific dark forums, sometimes requiring an invitation from an existing member. The acquired information is used for money theft, malware distribution, fraud, and other criminal purposes.
The reuse of credentials poses a significant risk – when users apply the same logins and passwords across different sites. Even if a company’s systems are highly secure, a compromised employee account on another resource can provide criminals access to the corporate network.
Statistics show that over 80% of people use the same password for multiple systems, a vulnerability exploited by cybercriminals.
To reduce risks, companies are advised to use special solutions to block known compromised passwords.
For instance, the Specops Password Policy service can block over 4 billion compromised credentials from the Active Directory database. When attempting to set such a password, the system will prompt the employee to create a new, more secure one.
Thus, employing a comprehensive approach and modern technologies can significantly enhance the protection of corporate and personal accounts, thereby complicating the task for cybercriminals and safeguarding businesses from financial losses.