Credential Theft: A Cybercriminal's Treasure Trove

Long before Johnny Depp stole our hearts as the quirky and selfish, yet still loveable Captain Jack Sparrow, there were real pirates. It’s true, he probably was the “worst pirate we’ve ever heard of” because he actually had a conscience – something the real ones did not…and still don’t.

Yes, pirates still exist. Sure, they may not have the quintessential pirate garb, parrot companion and massive wooden ships, but they still have a place in our world, on and off the sea. In fact, modern day pirates are quite tech savvy, and many conduct their work from right in front of a computer screen just like you and me. The truth is, these “pirates” we refer to are what we would now call hackers, cybercriminals, bad actors, etc.

In today’s world, cybercrime is the new pirating and it’s much more sophisticated than the likes of Captain Jack Sparrow or Blackbeard. But the end game is still the same – to find their treasure (aka, forcibly take money from unsuspecting victims) through various means.

One of the fastest growing trends used by cybercriminals is credential theft. It’s a fairly straightforward idea where the hackers steal a person’s identity in the form of usernames, passwords and other pieces of login information to gain access to protected systems, such as online banking, company networks and even the cloud. Not only do these credentials provide direct access to secure systems that can lead them to the treasure trove of financial “gold” they want, but it also conjures up less suspicion because the access appears to be legitimate.

Looting: How Credential Theft is Committed

So, how are these modern day “pirates” collecting these credentials? Here are some commonly used tactics cybercriminals employ to commit credential theft:

1. Outdated technology exploitation. You know those patches and updates us cybersecurity folks are always talking about? They can lead to credential theft. If your credit union operates on an older Windows system or hasn’t updated your firewalls in even as little as a couple weeks, you run this risk of creating gaps that cybercriminals can crawl through, leaving credential information exposed. The same is true of outdated critical infrastructure systems that resulted in the Equifax and Yahoo data breaches, for example. Where there is a gap, there is a way for hackers to find and utilize credentials.

2. Malware attacks. It only takes a single click on a bad link or online ad to spread malware throughout your devices and systems. Once malware is attached to your network, hackers can easily find credentials and use them for their gain.
3. Social engineering/phishing attacks. As we all know, social engineering has many forms, but they all focus on one thing…the human condition. The weakest link is often the human one, and hackers exploit that through phishing emails or vishing calls aimed at gathering credentials right from the source.

3. Poor password security. There’s a reason most passwords these days call for a minimum number of characters; a mixture of letters, numbers and special characters; different cases; and so on. That’s because poor password security – aka, easy-to-crack passwords – are no match for experienced cybercriminals. But, that’s only one part of the password security puzzle. Using old passwords repeatedly or using the same password across multiple systems is also a hazard. Once a hacker has your password, they’ll be able to utilize it and access the corresponding system.

4. Man in the middle (MitM) attacks. A MitM attack is when a cybercriminal hacks communications between two entities, while both parties believe they are solely interacting with one another. As the man in the middle, as the name suggests, hackers can eavesdrop on the conversation and, consequently, gain access to credentials.

5. Cloud service attacks. These days, a large portion of the workforce performs their job duties either remotely or via a hybrid schedule. That means the use of cloud-based programs such as Microsoft Office 365 or Adobe Creative Cloud are utilized more frequently than ever before. As such, cybercriminals have been known to hack these systems and steal credentials.

Batten Down the Hatches: How to Combat Credential Theft

Unlike seafarers from the pages of history, armed cannons and impetuous rerouting of our cargo won’t provide resistance against today’s pirates – not in the cyber world. Instead, there are other defensive measures we can take to stop credential theft.

• Multifactor Authentication (MFA). Credentials are harder to steal when they come in layers. MFA provides two (sometimes even three) layers of authentication before access is granted to a system. In the event that a password and/or username is already in a hacker’s possession, they will still have to complete the subsequent MFA prompts, which may require additional credentials they don’t have, preventing them from accessing sensitive information.

• Permissions and Privileges. Basically, know who within your organization has access to your systems and understand why they need those permissions. Do the proper due diligence in assigning permissions and privileges only to those who need it to complete their jobs. Also be aware that system administrators are more likely to be targeted because of their high level access to protected data. The fewer people who have access to a system, the fewer avenues cybercriminals will have to steal information.

• Password Management. Be smart about password management within your credit union. Maintain specific requirements for your employees’ passwords, including how often they need to be changed, how long they need to be, etc. Don’t allow changed passwords to be too similar to past ones and encourage employees to differentiate passwords among various systems.

• Train, Train, Train. There is no such this as too much training. Keep this in mind when it comes to security awareness education for your staff. The more they know about credential theft, social engineering scams, malware, ransomware and the other multitude of security threats out there, the better they will be at protecting their information and, by association, the credit union’s. Security awareness training can include tips for good password management, examples of cybersecurity risks, what to do in the event of a security incident, etc. Cover all the bases and then some!

• Know Your Risks and Close Your Gaps. Remember those gaps we talked about earlier? They are a major entry point for hackers, so they must be addressed often. Read cybersecurity bulletins every day and sign up for industry alerts so that you know when new patches and updates are available. Then, implement them as soon as possible to close those gaps and keep hackers out. At the same time, make sure you perform your routine vulnerability scanning, information security risk assessments and all those other tools to help you understand where your risks lie. The more you know, the better prepared you will be.

• Respond to Incidents IMMEDIATELY. If you know a system or device has been compromised through credential theft, handle the situation as quickly and efficiently as possible. That means isolating the item from company-wide networks and other connections immediately and following through with your incident response plans.

• Stay Compliant. There are so many governing bodies when it comes to cybersecurity. Regulations from the NCUA, FFIEC and others provide guidance to help you stay protected and, if all else fails, to fight against cyber threats such as credential theft. It’s simple, but so important to be on top of your cybersecurity practices, so look for ways to be proactive and compliant.

It’s time to stop thinking of pirates as the rum-soaked, sword-slinging mutineers from days of old. The truth is, they still exist. But, these days, they do their dirty work using technology and strategy. They may go by different names now and have a far superior method for finding their treasure trove of stolen data, but their goal of pilfering funds remains the same and their potential victims (including your employees, your credit union and your members) are countless.

Through simple credential theft – stealing the usernames and passwords we use each and every day – they can carry out their heists in an easier, more indirect way than ever before. However, sharing the knowledge about credential theft and other cybersecurity threats within your credit union will help to better protect your information and allow you to create a plan with tech-driven strategies of your own to keep that coveted treasure safe and secure.

Mike Bechtel is an information security analyst for Vizo Financial Corporate Credit Union. As such, he provides incident response planning services, information security risk assessments, security awareness training, social engineering and vulnerability testing and reporting and information security-related consulting services to credit unions.