MindShare: How Hackers Get Your Credentials

In 2023, credentials were the top culprit in successful breaches. Hackers use credentials for reconnaissance, to gain initial access, and to get access to the final target to encrypt and request ransom - what we know well as ransomware.

But why and how do hackers steal credentials to do all these bad things in the first place? You've come to the right place. Let's take a look at what evil-doings hackers have been up to.

You might want to understand why hackers even want the credentials of people in your organization. There are many reasons: sometimes, it's to sell them online; other times, they buy your credentials to infiltrate your organizations, get their hands on other credentials, and sell those. A bit confusing, right? The bottom line is that it doesn't matter why they do it. What's more important is that they do it often and that it is damaging to individuals or businesses.

It's worth a while to understand how they get them and see if there are things we can do to protect ourselves and our organizations.

There are several typical methods we want to watch out for. All of them have to do with weak authentication security. But we'll get to that later. Let's understand the basics for the most wanted:

Credential database hack

A database full of usernames and passwords is a gold mine for hackers. That's why the 1Password breach was such a big deal. That's why password managers are generally not a good idea. A hacker gets access to a credential database - they can sell it on the dark web and make a killing doing so.

Some techies may now say, "But passwords are encrypted in databases, so it shouldn't be a problem even if a database gets hacked." The problem this technique called a dictionary attack, which means you can guess passwords even if the said database of passwords is well protected.

And it gets worse: since people reuse passwords for several different accounts, your system is likely at risk even if you didn't use a password manager or are not using a particular website in your business. Even though people typically know they're not supposed to reuse passwords, it's also true that people do dumb things. It's also true that people don't want to admit to being dumb. Especially when it's because they did something they were explicitly told not to do.

MitM

The man-in-the-middle attack is precisely what it sounds like. It's an attack where the attackers place themselves between a user and a website the user tries to access. It's done in several techniques: sometimes, they do more to trick the user, and other times, they need to focus on tricking the systems. The goal, however, is always the same: become the man in the middle of the communication to get your hands on confidential information like user credentials.

Phishing

Unsurprisingly, phishing is also what it sounds like. Just like with fish, you don't care which one you catch as long as you end up with a warm meal at the end of the day. Phishing is a common type of man-in-the-middle attack that hackers like to use because it's cheap, simple, and effective. How does it work? A hacker typically creates a website lookalike that looks and feels like the real thing and then sends emails containing stressful messages to thousands of email addresses. It usually says stuff like "You need to reset a password to your Outlook email" or "Your boss sent you an encrypted message," or lately, thanks to AI, something way more specific to what will push the oh s**t buttons just for you. Under pressure, the stressed-out user clicks on the phishing link and provides their credential to the lookalike website, thinking it's real. And just like the fish, their credentials have been phished.

MFA phishing

You may be using MFA in your organization and are now thinking: None of this applies to us. We use MFA! We are safe.

I have some bad news for you, too. MFA doesn't solve the phishing problem. Go back to the scenario before. The panicking user clicks on the phishing link; they just enter their username and password to the lookalike website. What happens next? They are asked to enter a one-time password or authorize a notification request in their authenticator application. Suspecting no malicious activity, they just let the hacker in. The MFA only works if the users expect wrongdoing.

MFA bombing

The MFA vulnerability has also been used in breaches e.g., Uber in 2022, to annoy a user to submission. Knowing a primary credential like a username and a password, hackers repeatedly request access, which in turn repeatedly prompts the user to authorize access. The annoyed user expects the authenticator is only malfunctioning and authorizes the authentication, letting the adversary in.

Is there anything our organization can do to protect itself from these villainies better?

Yes. It would help if you had access security that combines the following qualities:

• Passwordless authentication: password-based security doesn't cut it anymore since passwords are the top target for hackers everywhere.
• Device-based access: allows access for users from their devices. Device verification must use cryptography instead of traditional credentials.
• Device-binding: authentication should happen on the same device where access is requested. Try to avoid using external authenticators.

Hackers are lazy and clever: they do what's easy and, most importantly, what will make money. Combining these three qualities will make their lives hell. So, instead of trying to get through a brick wall, they will do their evil deeds elsewhere, where it pays off.