Credential Harvesting: Phishing Campaigns and MitM Attacks
Today’s breaches continue to start with compromised email accounts, with monetary gain remaining the top motivation for stealing login credentials. Typically, these are opportunistic attacks, a sort of spray and pray tactic. According to ProofPoint’s report Human Factor 2019, 25% of phishing emails in 2018 were generic credential harvesting. Phishing is the number one attack vector, mainly because social engineering is still a wildly successful way to compromise users because so many people open and click on fake emails without thinking of the consequences.
What is Credential Harvesting?
Credential harvesting is the process of virtually attacking an organization in order to illegally obtain employees’ login information. They deploy increasingly sophisticated Tactics, Techniques, and Procedures (TTPs) such as phishing campaigns, Man-in-the-Middle (MitM) attacks, and password dumping tools.
Common TTPs
Phishing
Today’s phishing campaigns use unsuspecting links to fake account login pages. As an attempt to bypass an organization’s email protections and firewalls, links are often embedded in word or .pdf documents. The landing pages themselves are typically look-alike Microsoft suite login screens: Outlook, O365, OneNote, and MS Teams.
A recent example of a phishing campaign involves an attack involving MS Teams. Fraudsters sent an email with the subject “You have been added to a team in Microsoft Teams.” When recipients followed the link, they arrived at a harvesting page that looks like a Microsoft login page.
These pages are typically hosted on compromised websites whose domains many organizations are unable to outright block, such as WordPress and Sendgrid. Cyber criminals take advantage of this by redirecting from these sites and then hosting their harvesting pages on compromised websites. If a victim enters their credentials their first password attempt is a failure, followed by a second successful attempt, and then redirect to a new page. This increases the chance of a successful harvest by getting two submissions. Attacks like this are a daily occurrence for most organizations.
Man-in-the-middle
MitM attacks often use public WiFi networks to harvest credentials. Cyber criminals setup routers to look like nearby businesses or legitimate public Wi-Fi and then wait for users to join the network. Once a victim connects, the attacker then has the ability to monitor any traffic made while on their router, including login credentials.
Password dumping tools
Tools like MimiKatz can extract plain-text passwords and hashes, right out of memory. Once a system is compromised, attackers can then dump the memory and steal other credentials to move laterally within an organization. MimiKatz is free to download and has been seen in malware like WannaMine. WannaMine utilizes MimiKatz to mine passwords and hashes off an infected system and propagate to other systems within an organization.
How to Mitigate the Risk of a Cyber Attack
- Multi-Factor Authentication (MFA) is the best way to stem the tide of cyber attacks against an organization. MFA, which uses two login credentials, such as a password and a numeric code sent to your phone, is essential for privileged accounts. This is one of the easiest ways an organization can protect its systems and data from access abuse.
- Phishing education – Regularly train users on how to spot phishing emails, including phishing simulations to help users learn through experience.
- Use a VPN when connecting to an untrusted Wi-Fi. VPNs will encrypt all your data sent over a network. Be wary when connecting to any open Wi-Fi as cyber criminals can easily eavesdrop on your actions while connected.
- Organizations should have the ability to collect telemetry on their endpoints, to aid in an investigation of an incident. This could be a free PowerShell script like Kansa, which is a modular incident response framework. Or if budget permits, an Endpoint Detection and Response (EDR) solution like Carbon Black works effectively. Once deployed to a system, organizations can configure Carbon Black sensors to ban tools like the MimiKatz from executing and stop malware from propagating. EDR solutions also allow organizations the ability to respond to threats and contain infections.