How Hackers Phish Your User Credentials and Sell Them

Nov 28, 2023The Hacker NewsCybercrime / Crime Prevention


Account credentials, a popular initial access vector, have become a valuable commodity in cybercrime. As a result, a set of stolen credentials can put your organization’s entire network at risk.

According to 2023 Verizon Data Breach Investigation Reportexternal parties are responsible for 83 percent of violations that occurred between November 2021 and October 2022. Forty-nine percent Such violations include stolen credentials.

How do threat actors compromise credentials? Social engineering is one of the top five cybersecurity threats in 2023. Phishing, which accounts for % of social engineering attempts, is the method of stealing credentials. This is a relatively inexpensive tactic that delivers results.

As phishing and social engineering techniques become more sophisticated and tools become more readily available, credential theft should become a top security concern for all organizations if it isn’t already.

Phishing has increased

With phishing and social engineering in general, threat actors are looking beyond just using emails:

  • Today’s phishing campaigns are multi-channel attacks with multiple stages. In addition to emails, threat actors use texts and voicemails to direct victims to malicious websites and then use a follow-up phone call to continue the trick.
  • Threat actors are actively targeting mobile devices. Credentials can be compromised as users can be tricked by social engineering tactics in various apps. Half off all personal devices exposed to phishing attacks every quarter in 2022.
  • AI becomes a factor. AI is used to make phishing content more believable and to expand the range of attacks. Using victim research data, AI can create personalized phishing messages and then refine the messages to increase legitimacy to get better results.

PhaaS is the path to stolen credentials

However, it doesn’t take much to start stealing credentials. Phishing has become good business because threat actors have fully embraced the phishing-as-a-service (PhaaS) model to outsource their expertise to others. With phishing kits sold on underground forums, even novices without the skills to break into IT systems themselves may be capable of launching an attack.

PhaaS operates like legitimate SaaS businesses. There are subscription models to choose from and the purchase of a license is required for the kits to work.

Advanced phishing tools used to target Microsoft 365 accounts

W3LL’s BEC phishing ecosystem exposed

For the past six years, threat actor W3LL has been offering its customized phishing kit, the W3LL Panel, on its underground marketplace, the W3LL Store. The W3LL kit was created to bypass multi-factor authentication (MFA) and is one of the more advanced phishing tools on the underground market.

Between October 2022 and July 2023, the device was used to successfully infiltrate at least 8,000 of the 56,000 corporate Microsoft 365 business email accounts being targeted. W3LL also sells other assets, including victims’ email lists, compromised email accounts, VPN accounts, compromised websites and services and customized phishing baits. It is estimated that the income for the W3LL Store in the last 10 months is as much $500,000.

The Greatness phishing kit simplifies BEC

Eminence has been in the wild since November 2022 with a sharp jump in activity during that time December 2022 and again in March 2023. In addition to Telegram bot integration and IP filtering, Greatness includes multi-factor authentication bypass capability like the W3LL Panel.

The first contact is made with a phishing email that redirects the victim to a bogus Microsoft 365 login page where the victim’s email address is pre-populated. When the victim enters their password, Greatness connects to Microsoft 365 and bypasses MFA by prompting the victim to submit the MFA code on the decoy page. That code is then forwarded to the Telegram channel so that the threat actor can use it and access the real account. The Greatness phishing kit can only be deployed and configured with an API key.

The underground market for stolen credentials

In 2022, there will be more than 24 billion credentials sold on the Dark Web, an increase from 2020. The price for stolen credentials varies depending on the type of account. For example, Stolen cloud credentials are about the same price as a dozen donuts while ING bank account logins will sell for $4,255.

Access to these underground forums can be difficult with some operations requiring verification or membership fees. In some cases, such as the W3LL Store, new members are only allowed on the recommendation of existing members.

The dangers of end-users using stolen credentials

The risks of stolen credentials are increased when end-users reuse passwords across multiple accounts. Threat actors pay for stolen credentials because they know many people, more than, use the same password on multiple accounts and web services for personal and business purposes.

No matter how impenetrable your organization’s security is, preventing the reuse of valid credentials stolen from another account can be difficult.

Financial gain is the motivation behind stolen credentials

After stealing account credentials, threat actors can distribute malware, steal data, impersonate the account owner and perform other malicious actions on the compromised email account. However, the threat actors who steal the credentials are often not the ones who use the information.

Financial gain remains the primary factor 95% of violations. Threat actors will sell the credentials they steal on underground forums for profit to other threat actors who will use them weeks or months later. This means that stolen credentials will be the driving force behind the underground markets of the future. What steps do you take to secure user credentials in your organization?

Block compromised passwords

Eliminate the security risks of compromised passwords with Specops Password Policy with Breached Password Protection that allows you to block more than 4 billion known compromised passwords from your Active Directory. All users will be prevented from using known compromised passwords and will be guided to create a different password that matches your policy. Also, if continuous scanning is activated, users will be alerted via SMS or email as soon as their password is discovered to have been compromised.

You can strengthen your password infrastructure by using the custom dictionary feature that allows you to block words common to your organization as well as weak and predictable patterns. Implement a stronger password policy that meets the current compliance requirements of the Specops Password Policy. Try it for free here.

Did you find this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.

Leave a comment