GUIDE ON CREDENTIALS THEFT:
Cyber Security Awareness Month (Unbirthday)
The main aim of this article is to celebrate the 𝐂𝐲𝐛𝐞𝐫𝐬𝐞𝐜𝐮𝐫𝐢𝐭𝐲 𝐀𝐰𝐚𝐫𝐞𝐧𝐞𝐬𝐬 𝐌𝐨𝐧𝐭𝐡’𝐬 𝐔𝐧-𝐛𝐢𝐫𝐭𝐡𝐝𝐚𝐲 which, as IMQ Intuity, we celebrate instead in November.
The reason is simple: #SecurityAwareness 𝐢𝐬 𝐚 𝐯𝐞𝐫𝐲 𝐡𝐨𝐭 𝐭𝐨𝐩𝐢𝐜 𝐞𝐯𝐞𝐫𝐲 𝐝𝐚𝐲, 𝐭𝐡𝐞𝐫𝐞𝐟𝐨𝐫𝐞, 𝐢𝐭𝐬 “𝐜𝐞𝐥𝐞𝐛𝐫𝐚𝐭𝐢𝐨𝐧” 𝐜𝐚𝐧𝐧𝐨𝐭 𝐛𝐞 𝐫𝐞𝐝𝐮𝐜𝐞𝐝 𝐭𝐨 𝐨𝐧𝐥𝐲 𝐚 𝐦𝐨𝐧𝐭𝐡 𝐚 𝐲𝐞𝐚𝐫.
On the occasion of the 𝐂𝐲𝐛𝐞𝐫𝐬𝐞𝐜𝐮𝐫𝐢𝐭𝐲 𝐀𝐰𝐚𝐫𝐞𝐧𝐞𝐬𝐬 𝐌𝐨𝐧𝐭𝐡’𝐬 𝐔𝐧-𝐛𝐢𝐫𝐭𝐡𝐝𝐚𝐲, we thought to share with you a practical guide about #CredentialsTheft.
PROTECT YOURSELF FROM CREDENTIALS THEFT
Credentials theft is the cause of many cyberattacks and the number of incidents is
growing fast. In fact, the easiest thing to do for an attacker in terms of effort, is no
longer using social engineering or exploiting technological vulnerabilities.
Exploiting only technological vulnerabilities would mean underestimating the
human, the sociological and psychological vulnerabilities of the user, these last,
fundamental for an attacker in terms of ease of implementation and percentage of
success. So, the easiest way to attack is to steal credentials and the two most
common ways are:
- Compromising the machines
- Impersonate someone
COMPROMISING THE MACHINES
Starting from the compromise of a single system, the attacker captures the
credentials on the compromised system and reuses them to access all systems
where those credentials are valid (Lateral Movement). Then, he steals more
privileged credentials until he gets full control of the infrastructure (Privilege
These activities are usually undetected due to detection difficulties, as they are
typically identified as normal authentication traffic.
Impersonation, or Identity Theft, means a total impersonation of one’s identity by
the improper use of data relating to the identity of another person. In other words,
the use of the identity of another company or person, behind which the hacker
hides or operates with a fictitious identity.
The attacker uses Phishing (via e-mail), Smishing (via SMS) or Vishing (via
telephone) against the victim pretending to be a supplier, a customer or an
The goal is to push the user to enter a corporate portal or software with corporate
credentials. At this point, the criminal can move freely and, as it happens in the
above case, gives way to a Lateral Movement until he reaches the full control of
A 26-year-old boy known as raccoonstealer, having taken part in the Raccoon
Stealer Malware-as-service (MaaS) Operation, was arrested in March 2022. He
was arrested by Dutch authorities (together with FBI and Italian authorities), who
took apart the infrastructure of the Raccoon Infostealer and thrown the existing
version of the malware off-line.*
FBI agents have identified more than 50.000.000credentials
and forms of identification (email addresses, bank accounts, cryptocurrency
addresses, credit card numbers, etc.).
The credentials included over 4.000.000 email addresses.
After his arrest, the Raccoon Stealer Group ceased operations.
However, in June, they released a new malware family using C/C++ language
- Browser passwords and cookies
- Autofill data
- Credit cards
- Cryptocurrency wallets
- Screenshot capturing
“Why should my data be interesting to the attacker?”
To answer this question, here are some examples that come directly from our
experience in terms of Business Attack Simulation on medium and large
- Many employees save a list of personal or corporate account
credentials in Excel or .txt files on their company computer,
renaming them as “Credentials“ or “Passwords”.
- Many employees share their personal or business account
credentials via E-mail or through instant messaging software, such
as Teams and WhatsApp.
- Many employees reuse the same credentials for all accounts and
rarely change passwords.
- Many companies, still use obsolete or manual business badge
creation systems, such as storing employee names and data on .txt
files, saved on the computer desktop, without any password
Most predictable password combinations based on our red team simulations experience
An attacker who manages to reach the company database, can be able to recover
the password in clear with two possibilities:
- The attacker, through Dictionary Attacks, tries to guess the passwords through
the most commonly used words.
- If he fails in finding the correct string of words, he proceeds with Brute Force
Attacks, using all letter combinations.
The screenshot below shows the most predictable password combinations
according to our experience with organizations but, as you can see, they perfectly
reflect the most commonly used passwords even outside the business context.
- Company + current year
- Season/month + current year
- Special characters vs letters
- Use of abcd and 1234
- Department + current year
- User’s month/year of birth
Cyber Security Awareness Month (Unbirthday)
Look at our guide, print it, put it on desk and share it for informative purpose: