Story image

Credential theft industry booming in US, declining in Asia & EU

10 Oct 18

Compromised credentials are a constantly occurring headache for businesses and consumers around the world.

However, research from enterprise-class cyberthreat intelligence company Blueliv shows the rate of stolen credentials depends significantly on where you are in the world.

It was a great harvest for cybercriminals targeting North America in the second quarter of 2018, as compromised credentials retrieved from botnets geolocated to the region skyrocketed 141 percent quarter over quarter (March to May 2018 over June to August 2018).

Meanwhile, Europe and Russia actually saw a decrease of 22 percent, while Asia plummeted 36 percent. Obviously, there were some profitable campaigns in North America over the quarter.

The data holds even more insights when taken to a deeper level. For instance, between just July and August, geolocated credentials detected from Europe and Russia fell 33 percent, while Asia surged 77 percent.

According to Blueliv, this suggests a sizeable botnet was taken down in Europe, while a campaign targeting Asia was thriving.

“All it takes is a single good credential for a threat actor to gain access to an organisation and cause havoc,” says Blueliv CEO and founder Daniel Solís .

“We are observing a booming market for credential theft, and the latest statistics show that this sort of cybercrime is a truly global enterprise. By understanding the lifecycle of the compromised credential, CISOs seeking to protect their business and analysts looking for IOCs gain valuable information to shrink their attack surface.”

In terms of the malware families being used by cybercriminals, Pony, KeyBase, and LokiPWS (also referred to as Loki Bot) were consistently the most common tools of choice, but when it comes to popularity Pony has always been several lengths ahead of its counterparts.

However, LokiPWS is hot on its heels as in May its distribution had gone through the roof by more than 300 percent year over year. During the second quarter LokiPWS samples almost doubled, with a 91 percent increase quarter over quarter.

Solís says the growth of LokiPWS is of particular concern. It can be used as both a loader for other malware as well as a password and cryptowallet stealer. It is widely available from a variety of underground markets as a modular product, usually priced between US$200-300 depending on the desired use.

“Our analysts have been following the development of a huge variety of malware families,” says Solís.

“Source code leaks of different versions of LokiPWS in recent years have probably influenced its increase in usage as a credential stealer, but this does not mean that we should discount the likes of Pony, Emotet, KeyBase and AZORult, which continue to be disturbingly effective around the world.”

Blueliv shares its intelligence in a bid to socialise cybersecurity and encourage parity to enable businesses around the world to fight cybercrime collaboratively.

Disruption in the supply chain: Why IT resilience is a collective responsibility
"A truly resilient organisation will invest in building strong relationships while the sun shines so they can draw on goodwill when it rains."
Businesses too slow on attack detection – CrowdStrike
The 2018 CrowdStrike Services Cyber Intrusion Casebook reveals IR strategies, lessons learned, and trends derived from more than 200 cases.
Proofpoint launches feature to identify most targeted users
“One of the largest security industry misconceptions is that most cyberattacks target top executives and management.”
McAfee named Leader in Magic Quadrant an eighth time
The company has been once again named as a Leader in the Gartner Magic Quadrant for Security Information and Event Management.
Symantec and Fortinet partner for integration
The partnership will deliver essential security controls across endpoint, network, and cloud environments.
Is Supermicro innocent? 3rd party test finds no malicious hardware
One of the larger scandals within IT circles took place this year with Bloomberg firing shots at Supermicro - now Supermicro is firing back.
25% of malicious emails still make it through to recipients
Popular email security programmes may fail to detect as much as 25% of all emails with malicious or dangerous attachments, a study from Mimecast says.
Google Cloud, Palo Alto Networks extend partnership
Google Cloud and Palo Alto Networks have extended their partnership to include more security features and customer support for all major public clouds.