A new market for non-financial credentials is emerging in the cybercrime underground, thanks to mass data breaches and phishing attacks exposing billions of usernames, email addresses and passwords in the last two years. But don’t be fooled into believing this data is only being exchanged and sold in the farthest reaches of the Internet. It is available to anyone on open websites and traded in plain sight on social media.
Relying on the fact that many people use the same username–password combination across multiple accounts, cybercriminals are making money by selling stolen credentials. Naturally, verified account credentials command a premium, as they can be more readily used to take over other accounts—for example, making fraudulent e-commerce purchases – so the business of credential testing services is expanding as well. Yet, other factors are contributing to the price of stolen credentials including the brand, whether there is a credit card on file in the account, and how easy it is to resell the goods or services. Today, account credentials may sell for as little as $0.20 up to $15 USD.
An abundance of stolen account credentials, coupled with the ease in which they can be obtained by cybercriminals at a low cost, is helping to fuel a rise in account takeover attacks. In fact, according to the latest 2018 Identity Fraud Study by Javelin Strategy & Research, account takeover losses more than tripled in the last year to $5.1 billion.
Automated tools, such as SentryMBA, enable cybercriminals to carry out high-speed username- and password-guessing attacks, sometimes called credential replay attacks. These tools are available at low or no cost, or on a fraud-as-a-service basis. Account takeover success rates can hit up to 5% and produce an acceptable yield of valid credentials to cybercriminals, for their own personal use or downstream sale.
It can be difficult to spot automated attacks because legacy tools such as web application firewalls (WAFs) are not designed or architected to look for them. More organizations are turning to behavior analytics technologies to assure authenticated users and anonymous guests are interacting with their website in expected ways. These technologies can identify unusual patterns of behavior across both web and mobile applications – for example, the way a user navigates a site or robotic activity such as thousands of login attempts within only a few minutes.
So what will the state of cybercrime look like in 2018? We expect to see more mass data breaches, and a spike in account takeover attacks as a result. This will lead to a flooded market for stolen credentials and thus, verifying credentials will become even more of a priority for cybercriminals looking to monetize them. We also anticipate the development of credential checking tools that are programmed to transact immediately following a successful login as a way to try and bypass fraud prevention systems.
Written by: Heidi Bleau, (originally posted on RSA.com blogs)