Identity theft isn’t something that only happens to “other people”, reckless idiots who want only toss their bank statements in the trash without shredding them first. And it doesn’t just happen to individual consumers who forget to update their security software on their laptops and mobile devices. It happens all too often and too easily to large enterprise companies, too.
Cyber criminals are constantly trawling the internet for individual and corporate credentials, meaning usernames and passwords. With these stolen credentials, they can enter your information systems, access your data and execute fraudulent financial transactions on your behalf or acquire sensitive information. In 2013, hackers breached the servers of The Washington Post to obtain access to employees’ usernames and passwords. A crisis was averted because:
- The passwords were stored in encrypted form
- There was no evidence that subscriber info, including addresses and credit cards, was accessed.
Fortunately, you don’t have to throw your hands up in the air and accept the inevitability of having your credentials hacked. Companies like SpyCloud use a technique called Compromised credential API. Leading technology companies use this approach to monitor the internet for ‘combo lists,’ where cyber thieves store and share maliciously harvested credentials, and immediately alert you to change your passwords when your corporate or customers’ credentials have been exposed.
How hackers use compromised credentials
In an article published in 2013 by Dana Tamir on the IBM-sponsored website, securityintelligence.com, she reported one of the biggest credentials breaches in which keystroke-logging malware was used to steal the credentials of users logging into 93,000 websites. The stolen credentials allowed the hackers to access sensitive applications including payroll systems. That’s only the initial breach.
Not only does a threat actor access the company’s data, they also add the compromised credentials to ‘combo lists’ that they circulate on the public internet and the Dark Web. This is where compromised credential APIs earn their keep. End users of these combo lists know that lazy and forgetful online consumers often recycle their passwords on multiple sites.
Using a credential stuffing tool like SNIPR, cyber villains exploit that fact to use stolen credentials to upload the config files and credential stuff popular sites like Instagram, Yahoo, Macy’s, and LOUIS VUITTON. If the hacker uses compromised credentials to access those sites where the owner of the credentials has an account, they have the potential to steal account balances, loyalty points, or virtual currency. This is called an account takeover, or ‘ATO’.
It’s easy to carry out an ATO using compromised credentials
Criminals don’t need to be particularly smart or sophisticated to rip you off, and they don’t need to spend hours cruising the Dark Web or using complicated code. All they would need to do is read this article and fumble around in a quiet room with a laptop, an internet connection, and an ample supply of coffee and donuts.
How to protect your company’s information systems from ATO
It’s not just your company’s systems that are at stake. Once you’ve suffered a breach, your customers’ and even your suppliers’ credentials are up for grabs, too. This is why it is essential that you work with SpyCloud to monitor your systems and alert you when your credentials have made someone’s Top Ten Combo List.
There are other things you can do to protect your information systems, such as using malware protection to prevent keyloggers from capturing credentials. Train your staff to use strong passwords and to never use the same password for multiple sites.
Credential stuffers may not be the smartest tools in the box, but there are other, more sophisticated hackers out there.