Story image

Credential theft industry booming in US, declining in Asia & EU

10 Oct 2018

Compromised credentials are a constantly occurring headache for businesses and consumers around the world.

However, research from enterprise-class cyberthreat intelligence company Blueliv shows the rate of stolen credentials depends significantly on where you are in the world.

It was a great harvest for cybercriminals targeting North America in the second quarter of 2018, as compromised credentials retrieved from botnets geolocated to the region skyrocketed 141 percent quarter over quarter (March to May 2018 over June to August 2018).

Meanwhile, Europe and Russia actually saw a decrease of 22 percent, while Asia plummeted 36 percent. Obviously, there were some profitable campaigns in North America over the quarter.

The data holds even more insights when taken to a deeper level. For instance, between just July and August, geolocated credentials detected from Europe and Russia fell 33 percent, while Asia surged 77 percent.

According to Blueliv, this suggests a sizeable botnet was taken down in Europe, while a campaign targeting Asia was thriving.

“All it takes is a single good credential for a threat actor to gain access to an organisation and cause havoc,” says Blueliv CEO and founder Daniel Solís .

“We are observing a booming market for credential theft, and the latest statistics show that this sort of cybercrime is a truly global enterprise. By understanding the lifecycle of the compromised credential, CISOs seeking to protect their business and analysts looking for IOCs gain valuable information to shrink their attack surface.”

In terms of the malware families being used by cybercriminals, Pony, KeyBase, and LokiPWS (also referred to as Loki Bot) were consistently the most common tools of choice, but when it comes to popularity Pony has always been several lengths ahead of its counterparts.

However, LokiPWS is hot on its heels as in May its distribution had gone through the roof by more than 300 percent year over year. During the second quarter LokiPWS samples almost doubled, with a 91 percent increase quarter over quarter.

Solís says the growth of LokiPWS is of particular concern. It can be used as both a loader for other malware as well as a password and cryptowallet stealer. It is widely available from a variety of underground markets as a modular product, usually priced between US$200-300 depending on the desired use.

“Our analysts have been following the development of a huge variety of malware families,” says Solís.

“Source code leaks of different versions of LokiPWS in recent years have probably influenced its increase in usage as a credential stealer, but this does not mean that we should discount the likes of Pony, Emotet, KeyBase and AZORult, which continue to be disturbingly effective around the world.”

Blueliv shares its intelligence in a bid to socialise cybersecurity and encourage parity to enable businesses around the world to fight cybercrime collaboratively.

Hackbusters! Reviewing 90 days of cybersecurity incident response cases
While there are occasionally very advanced new threats, these are massively outnumbered by common-or-garden email fraud, ransomware attacks and well-worn old exploits.
SEGA turns to Palo Alto Networks for cybersecurity protection
When one of the world’s largest video game pioneers wanted to strengthen its IT defences against cyber threats, it started with firewalls and real-time threat intelligence from Palo Alto Networks.
Forrester names Trend Micro Leader in email security
TrendMicro earned the highest score for technology leadership, deployment options and cloud integration.
LogRhythm releases cloud-based SIEM solution
LogRhythm Cloud provides the same feature set and user experience as its on-prem experience.
One Identity named Leader in PAM and IAM by KuppingerCole
KuppingerCole lead analyst Anmol Singh evaluated the strengths and weaknesses of 20 solution providers in the PAM market for the report.
Healthcare environments difficult to secure - Forescout
The convergence of IT, Internet of Things (IoT) and operational technology (OT) makes it more difficult for the healthcare industry to manage a wide array of hard-to-control network security risks.
Bitglass appoints new cloud, business development leaders
The cloud security company has appointed vice presidents for worldwide channels and worldwide business development.
Exploring the different needs for cloud services across Europe
Although digital transformation is happening across Europe, each country continues to have its own IT needs and the different cloud markets highlight this.