Threat intelligence and cyber risk firm Digital Shadows discovered a 65% increase in compromised user credentials circulating on the dark web market.
The Account Takeover in 2022 report found more than 24 billion username and password combinations on sale on the dark web, up from 15 billion in 2020.
Two years earlier, the number of leaked credentials was just 5 billion, representing a 300% increase from 2018 to 2020. According to the firm, the number of leaked credentials was growing annually and would continue to increase in the coming years.
Digital Shadows also found that state-sponsored attackers, hacktivists, and ransomware gangs have leveraged account takeover (ATO) attacks using stolen credentials.
Easily guessable and exploitable user credentials are still widely popular
The mid-June 2022 report by Digital shadows found that the top 50 most common passwords were easy to guess. Some include combinations of the name ‘password’ with some unforgettable numbers.
Similarly, the use of ‘123456’ as a password was very common, accounting for 0.46% or at least once in every 200 passwords. Keyboard combinations such as ‘qwerty’ or ‘1q2w3e’ were also prevalent.
Subsequently, the top 100 most common passwords accounted for 2% of the leaked user credentials.
Additionally, 49 out of 50 most common passwords could be cracked in less than a second in offline attacks using free or affordable exploitation tools available on the dark web.
However, adding a special character (@,_,#) to a simple 10-character password increased the offline crack time by 90 minutes, while adding two special characters increased the time by 2 days and 4 hours.
Additionally, the Digital Shadows Photon Research team found a staggering amount of plaintext passwords accounting for 88.7% of stolen passwords in the database.
However, they did not explain the percentage of the leaked passwords stolen in hashed format and decrypted by the attackers before listing. Consequently, they suggested that the total number of stolen passwords might be higher than reported.
The report posited that increasing the effort and time required to breach an account would make it less worthwhile to attackers, forcing them to focus on other weaker accounts.
Social engineering and malware are common sources of stolen user credentials
The researchers listed malware, phishing, and social engineering as common methods for stealing user credentials.
Automated credential harvesting involves info stealers such as the Redline malware that can run in the background. According to the researchers, phishing could also spread infostealers such as Redline malware.
However, the easiest method to obtain user credentials was to buy them from dark web forums. The report noted that the price of stolen credentials depends on the age of the account, the file size, the buyer’s reputation, and account type. For example, cryptocurrency-related accounts attracted higher prices.
Attackers regularly leverage stolen user credentials as the initial attack vector to deploy malware and exploitation tools before a ransomware attack.
“Identities are the true hackers’ objective,” Garret Grajek, CEO at YouAttest. “A username/password tuple can be attempted at not just the resource that is discovered but at multiple targets: banks, credit cards, health care, and business accounts.”
Grajek says that attackers could pivot a username with OSINT and discover the compromised workplace.
“From there it’s just a matter of logging onto the users’ account in some form, dropping in a RAT (Remote Access Trojan), and then begin the cyber kill chain of lateral movement and privilege escalation. It is imperative that an enterprise practice Zero Trust and strong identity governance which help identify anomalies in user privileges,” Grajek said.
Dark web marketplaces expanded in size and sophistication
Cybercriminals depend on the dark web to dispose of their stolen user credentials. The Digital Shadows report found that dark web marketplaces continue expanding and offering more exploitation tools, malware, and services.
Additionally, the dark web marketplaces introduced various subscription models, including premium services to facilitate the sale and purchase of stolen user credentials.
However, the attackers advertised many stolen user credentials on several dark web forums to increase the customer base. This practice introduced duplication in the user credentials listed for sale.
Digital Shadows accounted for replication and recorded 6.7 billion unique records after removing the duplicates. Even then, the number of stolen credentials had increased by 1.7 billion from 2020, representing a 34% increase.
The report stated that the firm had warned its customers about advertised compromised credentials at least 6.7 million times in the last 18 months.
How to protect user credentials from data leaks
Digital Shadows advised users to store their passwords using a password manager. Using a password manager allows them to use strong passwords without remembering them.
Additionally, they should enable multi-factor authentication, which could replace passwords and other authentication methods.
Similarly, using an Authenticator App to generate temporary authentication codes would render exposed credentials useless.
“We will move to a ‘passwordless’ future, but for now, the issue of breached credentials is out of control,” Chris Morgan, Senior Cyber Threat Intelligence Analyst at Digital Shadows, said. “Criminals have an endless list of breached credentials they can try, but adding to this problem is weak passwords, which means many accounts can be guessed using automated tools in just seconds.”
Morgan said leaked user credentials include those of staff, customers, servers, and IoT devices. He added that the breaches could have been mitigated by stronger passwords and avoiding password reuse across different accounts.
Digital Shadows attributed increasing ATO attacks to an increase in the average user’s digital footprint, authentication blind spots by the lack of consistency in authentication, and the failure to secure compromised accounts on time.
Kim DeCarlis, CMO at PerimeterX, noted that the cyber threat landscape had changed, with web attacks being part of an integrated cybercrime cycle, with each propagating the other prolonging the attack cycle.
“The front door to a web app is a valid user name and password, and it is eye-opening to learn the number of credential pairs available on the dark web,” DeCarlis said. “Stopping the theft, validation, and fraudulent use of account and identity information should be a prime focus for all online businesses.”