GUIDE ON CREDENTIALS THEFT:
Cyber Security Awareness Month (Unbirthday)
The main aim of this article is to celebrate the ๐๐ฒ๐๐๐ซ๐ฌ๐๐๐ฎ๐ซ๐ข๐ญ๐ฒ ๐๐ฐ๐๐ซ๐๐ง๐๐ฌ๐ฌ ๐๐จ๐ง๐ญ๐ก’๐ฌ ๐๐ง-๐๐ข๐ซ๐ญ๐ก๐๐๐ฒ which, as IMQ Intuity, we celebrate instead in November.
The reason is simple: #SecurityAwareness ๐ข๐ฌ ๐ ๐ฏ๐๐ซ๐ฒ ๐ก๐จ๐ญ ๐ญ๐จ๐ฉ๐ข๐ ๐๐ฏ๐๐ซ๐ฒ ๐๐๐ฒ, ๐ญ๐ก๐๐ซ๐๐๐จ๐ซ๐, ๐ข๐ญ๐ฌ “๐๐๐ฅ๐๐๐ซ๐๐ญ๐ข๐จ๐ง” ๐๐๐ง๐ง๐จ๐ญ ๐๐ ๐ซ๐๐๐ฎ๐๐๐ ๐ญ๐จ ๐จ๐ง๐ฅ๐ฒ ๐ ๐ฆ๐จ๐ง๐ญ๐ก ๐ ๐ฒ๐๐๐ซ.
On the occasion of the ๐๐ฒ๐๐๐ซ๐ฌ๐๐๐ฎ๐ซ๐ข๐ญ๐ฒ ๐๐ฐ๐๐ซ๐๐ง๐๐ฌ๐ฌ ๐๐จ๐ง๐ญ๐ก’๐ฌ ๐๐ง-๐๐ข๐ซ๐ญ๐ก๐๐๐ฒ, we thought to share with you a practical guide about #CredentialsTheft.
PROTECT YOURSELF FROM CREDENTIALS THEFT
Credentials theft is the cause of many cyberattacks and the number of incidents is
growing fast. In fact, the easiest thing to do for an attacker in terms of effort, is no
longer using social engineering or exploiting technological vulnerabilities.
Exploiting only technological vulnerabilities would mean underestimating the
human, the sociological and psychological vulnerabilities of the user, these last,
fundamental for an attacker in terms of ease of implementation and percentage of
success. So, the easiest way to attack is to steal credentials and the two most
common ways are:
- Compromising the machines
- Impersonate someone
STEALING CREDENTIALS
COMPROMISING THE MACHINES
Starting from the compromise of a single system, the attacker captures the
credentials on the compromised system and reuses them to access all systems
where those credentials are valid (Lateral Movement). Then, he steals more
privileged credentials until he gets full control of the infrastructure (Privilege
Escalation).
These activities are usually undetected due to detection difficulties, as they are
typically identified as normal authentication traffic.
IMPERSONATE SOMEONE
Impersonation, or Identity Theft, means a total impersonation of oneโs identity by
the improper use of data relating to the identity of another person. In other words,
the use of the identity of another company or person, behind which the hacker
hides or operates with a fictitious identity.
The attacker uses Phishing (via e-mail), Smishing (via SMS) or Vishing (via
telephone) against the victim pretending to be a supplier, a customer or an
external collaborator.
The goal is to push the user to enter a corporate portal or software with corporate
credentials. At this point, the criminal can move freely and, as it happens in the
above case, gives way to a Lateral Movement until he reaches the full control of
the system
CURIOSITY
A 26-year-old boy known as raccoonstealer, having taken part in the Raccoon
Stealer Malware-as-service (MaaS) Operation, was arrested in March 2022. He
was arrested by Dutch authorities (together with FBI and Italian authorities), who
took apart the infrastructure of the Raccoon Infostealer and thrown the existing
version of the malware off-line.*
FBI agents have identified more than 50.000.000credentials
and forms of identification (email addresses, bank accounts, cryptocurrency
addresses, credit card numbers, etc.).
The credentials included over 4.000.000 email addresses.
After his arrest, the Raccoon Stealer Group ceased operations.
However, in June, they released a new malware family using C/C++ language
stealing:
- Browser passwords and cookies
- Autofill data
- Credit cards
- Cryptocurrency wallets
- Screenshot capturing
“Why should my data be interesting to the attacker?”
To answer this question, here are some examples that come directly from our
experience in terms of Business Attack Simulation on medium and large
companies:
- Many employees save a list of personal or corporate account
credentials in Excel or .txt files on their company computer,
renaming them as “Credentialsโ or โPasswordsโ. - Many employees share their personal or business account
credentials via E-mail or through instant messaging software, such
as Teams and WhatsApp. - Many employees reuse the same credentials for all accounts and
rarely change passwords. - Many companies, still use obsolete or manual business badge
creation systems, such as storing employee names and data on .txt
files, saved on the computer desktop, without any password
protection.
Most predictable password combinations based on our red team simulations experience
An attacker who manages to reach the company database, can be able to recover
the password in clear with two possibilities:
- The attacker, through Dictionary Attacks, tries to guess the passwords through
the most commonly used words. - If he fails in finding the correct string of words, he proceeds with Brute Force
Attacks, using all letter combinations.
The screenshot below shows the most predictable password combinations
according to our experience with organizations but, as you can see, they perfectly
reflect the most commonly used passwords even outside the business context.

- Company + current year
- Season/month + current year
- Special characters vs letters
- Use of abcd and 1234
- Department + current year
- Userโs month/year of birth
Cyber Security Awareness Month (Unbirthday)
Look at our guide, print it, put it on desk and share it for informative purpose:
