Cybercriminals use Big Tech brand names like it’s human catnip. They exploit people’s trust in major tech brands to lure them into interacting with phishing emails. Since the public generally trusts these well-known companies, they are more likely to read and respond to emails that seem to be from a big name.
Google, Facebook, and Microsoft are the top 3 brands most likely to be impersonated for credential harvesting. According to a recent report, 2024 spawned almost 85,000 fake Google websites, over 6,000 fake Facebook URLs, over 5000 fake Microsoft URLs, and around 4000 fake Netflix links.
Phishing Is the Primary Vehicle for Harvesting Credentials
Credential phishing is when attackers send emails that appear to come from a legitimate, trusted business to trick the receiver into clicking on a malicious link or sharing login credentials with the sender.
Attackers use the captured data to access the victim’s accounts, e.g. your company network, sensitive accounts like investment platforms, banking or medical records, or shopping and social media accounts.
Despite years of warnings and awareness campaigns by IT professionals, phishing is still one of the most effective methods for credential harvesting.
Fake Website URLs
Attackers can buy phishing kits on the dark web. It’s a complete kit to create fake login portals that mimic legitimate websites. They can mimic well-known brands like Facebook, Microsoft, or Instagram, tricking users into submitting their credentials on a false login page.
These harvested credentials can be used to hijack user accounts. They can be the first step in a chain of events leading to devastating company-wide or nationwide security incidents.
Malware Attachments
Phishing emails can also contain poisoned attachments or URLs. Your device can be compromised when you click the link or open the attachment. One example of such malware is a keylogger. Keyloggers capture keystrokes on a user’s device, recording each tap. Some keyloggers can even take screenshots, like the notorious Emotet malware, which was responsible for several breaches in the banking sector.
Another type of malware is Infostealers, which can search devices for stored login information, browser cookies, and application passwords. Additionally, attackers use Remote Access Trojans (RATs). RATs allow attackers to control infected devices remotely. The attackers can capture credentials, install additional malware, and steal data on the infected device.
Other Types of Attacks
Even idle internet surfing or online shopping can be dangerous. Browser hijackers are a constant danger. They appear as pop-ups or fake advertisements on websites. When the user clicks, the browser hijacker redirects users to poisoned websites that host auto-downloading malware.
Man-in-the-middle (MitM) Attacks are also widespread in the cybercriminal community. In a MitM attack, a criminal snoops on the data travelling between your device and the website you are visiting. The attacker can capture login credentials or steal your sensitive banking information. This tactic is common at public wifi hotspots. The only defence against MitM attacks is always to secure your connection to the hotspot with a VPN before you go online.
What Are the Dangers of Credential Harvesting?
Stealing the login credentials for one of your online accounts is like tipping over the first domino. The chain of events can become unstoppable, leading to the complete takeover of your digital life, including your work accounts.
- Criminals can commit theft and fraud using stolen credentials.
- Breached companies may be seen as lax, incompetent, and uncaring.
- Stolen credentials put customer data at risk, hence the potential for hefty fines from consumer data watchdogs. A finding by the GDPR could result in a fine of 4% of a company’s annual global turnover.
Real-Life Examples of Attacks Due to Credential Harvesting
Cybercriminals value credentials that could help them infiltrate critical infrastructure sectors such as energy, healthcare, essential services, and transportation. A successful attack can have catastrophic results and cause widespread public safety risks.
SolarWinds Supply Chain Attack
SolarWinds provides IT management software to thousands of customers, including government agencies and well-known corporations. Attackers used stolen credentials to add lines of malicious code to Orion software updates. This supply chain breach incurred massive remediation costs, including around $18 billion to the US government.
Colonial Pipeline Ransomware Attack
Attackers used stolen credentials to infiltrate a pivotal US fuel operator. The overall impact of the ransomware attack on Colonial Pipeline included widespread fuel shortages. The victims spent millions of dollars on ransom fees, incident response, and infrastructure upgrades.
How to Avoid Credential Harvesting Attacks
Constant awareness and a skeptical mindset are some of the most effective defences against digital scams.
- Create awareness in your household and company around popular scams. In one type of attack, hackers use clickbait tactics, such as pop-ups about sensational celebrity gossip. When users click the link to learn more about the scandal, they get prompted to log in to their social media accounts on a fake web page. Use a reputable ad-blocker to avoid getting tricked by fake login pages.
- Always use an online VPN to secure your connections to the internet. It will prevent snoopers from intercepting sensitive data and login credentials.
- Use strong passwords. Passwords should always be a mishmash of upper- and lower-case numbers, letters, and special characters. These should be very hard to guess or brute-forced. Don’t reuse passwords and, preferably, store them in a password manager. It can create and store a unique password for each account.
- Install a reputable antivirus. If you accidentally open a poisoned attachment, it will intercept and block malicious code.
- Control access to your accounts. In an office network, install a user privilege system. Not everybody needs access to everything on your company network.
- Enable MFA, which forces you to approve all login requests via a separate channel. For example, if someone tries to log into your work account, you must approve it by entering a special code on your smartphone. MFA is a highly effective way of stopping hackers who got hold of your password.
The Internet Can Be a Force for Good or Bad
Bad actors can use the web to manipulate our trust. Phishing emails that seem to come from trusted names are particularly dangerous. Every email should remind us that the internet has a dark underbelly and that we must remain vigilant to avoid potential scams. No matter how many sophisticated tools we use, we are ultimately responsible for our own safety in the digital environment.
