Breaching an organization's defenses typically begins with gaining initial access.
And one of the most effective ways hackers achieve this is by stealing credentials.
This is where credential harvesting attacks come into play, where cybercriminals collect large quantities of usernames and passwords (often through tactics like email phishing).
Below, we'll break down what these attacks tend to look like, how to spot them and the measures you can take to protect your employees.
What is credential harvesting?
Credential harvesting is a type of cyberattack focused on stealing user credentials, such as usernames and passwords.
Attackers often use phishing emails, fake login pages, or malware to trick users into sharing their login details.
Once obtained, these credentials allow attackers to gain unauthorized access to sensitive accounts, systems, or data.
How does credential phishing work?
Credential phishing targets employees by impersonating trusted entities to gain access to usernames, passwords, and other sensitive data.
Here’s how it typically works:
- Attackers create phishing messages: Attackers send emails or texts that look like they’re from trusted sources.
- These messages include malicious links: Phishing messages will contain links to fake login pages that closely resemble legitimate sites.
- Credentials are stolen via fake forms: Recipients are prompted to enter their login details, unknowingly sharing their credentials with threat actors.
- These credentials are then used in breaches: Attackers use the captured data to access your organization's sensitive accounts, systems or data.
Types of credential harvesting malware
Keyloggers
Keyloggers capture keystrokes on a user’s device to record credentials as they type.
Some keyloggers can even take screenshots to capture sensitive data.
Example: The notorious Emotet malware used keylogging capabilities to steal credentials.
This malware led to numerous high-profile breaches in the banking sector.
Infostealers
Infostealers search devices for stored login information, browser cookies, and passwords.
They can extract credentials from both browsers and apps.
Example: RedLine Stealer targets saved browser credentials and gaming accounts.
Remote access trojans (RATs)
RATs allow attackers to remotely control infected devices.
This means they can capture credentials, install additional malware and steal data.
Example: Agent Tesla RAT was used in spear phishing attacks against businesses to compromise their login information.
Phishing kits
Phishing kits create fake login portals that mimic legitimate websites.
This gives attackers the ability to trick users into submitting their credentials.
These kits are easily accessible on the dark web.
Example: A phishing kit was used to target Facebook and Instagram users - impersonating real login pages to harvest their credentials.
Browser hijackers
Browser hijackers redirect users to malicious websites or use fake forms for credential theft.
This often done via pop-ups or fake ads.
Example: The Adrozek malware hijacked browsers, displaying ads that led users to phishing sites.
Tactics used in credential harvesting attacks
Phishing and social engineering attacks
If you're in the cybersecurity space, then you probably already know all about phishing...
Attackers will use deceptive emails, messages, or websites to trick your employees into disclosing their login credentials.
Credential theft (from data breaches)
Attackers will get login credentials from data breaches and then use those credentials to attempt unauthorized access to accounts.
Brute force and credential stuffing
Automated tools can be used to systematically guess usernames and passwords until attackers find the correct combination.
Credential stuffing is when stolen credentials from previous data breaches are used access other accounts if users have reused passwords (which is why employees should be taught to never reuse passwords).
Man-in-the-middle (MitM) attacks
In this kind of attack, criminal actors will intercept communication between a user and a legitimate website or service, capturing their login credentials.
This tactic is often executed on unsecured Wi-Fi networks or via malicious browser extensions.
Credential dumping
Attackers gain access to systems where credentials are stored and use tools to extract and decrypt stored usernames and passwords.
This technique often targets Windows environments or browser password managers.
Some email attacks are more sophisticated than others
Office 365 credential phishing attacks are fairly common.
And the vast majority of these attacks are pretty poorly constructed.
These 'lazy' attacks will come from strange email addresses or contain obviously suspicious content.
However, some emails will look like carbon copies of real Microsoft emails, teams messages, email server notifications or O365 subscriptions.
Beware of advanced, embedded credential harvesting attacks
Phishing email are becoming increasingly more advanced and harder to detect...
Attackers are now embedding their credential harvesting page in the middle of the email body.
This stripped-back design makes this particularly dangerous.
Why?
Because a typical phishing email will usually give more away - with links malicious websites or attachments that you can cross-check.
Embedding form fields directly into an email makes credential phishing forms look more legitimate and tricky to tell apart from legitimate forms.
Note: Hoxhunt's cyber security simulation training will test employees on this kind of advanced attack to prepare them for the real thing.
Why should security awareness managers care about credential harvesting?
Data breaches: Credential harvesting tends to lead to data breaches. According to the 2023 Cost of a Data Breach Report by IBM, the average cost of a data breach globally was $4.45 million.
Financial loss: Stolen credentials will result in financial losses for your organizations. Verizon's 2024 Data Breach Investigations Report found that over the last decade, 31% of breaches involved the use of stolen credentials.
Reputation damage: Data breaches caused by credential harvesting can have a real, measurable impact on your organization's reputation and bottom line. Companies that experience a data breach tend to see an around a 3.3% decrease in their stock price.
Fines: If credentials are stolen and sensitive data gets into the hands of malicious actors, you could be in store for some hefty fines. GDPR fines for data breaches can reach up to 4% of your company's annual global turnover or €20,000,000 (whichever is higher).
Credential harvesting examples
SolarWinds supply chain attack
What happened?
SolarWinds, an IT management software provider fell victim to a sophisticated supply chain attack.
Attackers exploited compromised credentials to insert malicious code into SolarWinds' Orion software updates, distributing malware to thousands of SolarWinds customers (which included government agencies and major corporations!).
Business impact
The breach resulted in remediation costs, legal expenses, and severe damage to SolarWinds reputation.
Estimates suggest that the breach cost the U.S. government approximately $18 billion in total.
Colonial Pipeline ransomware attack
What happened?
Colonial Pipeline, a major fuel pipeline operator in the US, experienced a ransomware attack that disrupted fuel supplies along the East Coast.
Attackers used stolen credentials to access to Colonial Pipeline's network and deploy ransomware, leading to operational disruptions and fuel shortages.
Business impact
Disruption to critical infrastructure lead to widespread fuel shortages and transportation disruptions.
Not only did they have to pay ransom to the attackers, Colonial Pipeline also had to shell out for expenses related to incident response, remediation, and infrastructure upgrades.
When the dust settled, the total cost of the attack amounted to millions of dollars.
JBS cyberattack
What happened?
JBS, one of the world's largest meat processing companies, suffered a cyberattack that disrupted its operations in North America and Australia.
Stolen credentials were used to infiltrate JBS' network and disrupt meat processing operations, leading to supply chain disruptions and shortages in the meat industry.
Business impact
JBS incurred significant financial losses due to the ransom payment (an eye-watering $11,000,000), the cost of cybersecurity enhancements, incident response, as well as business continuity efforts.
The total cost of the attack exceeded millions of dollars, and concerns were raised about the company's ability to safeguard sensitive information and critical infrastructure.
Best practices for secure credential management
Although some credential-based attacks can be tricky to spot, there are still measures you can take to protect your employees.
Make sure employees are using strong passwords
Using strong, unique passwords that are difficult to guess or brute-force is your first line of defense.
Passwords should be complex, incorporating a mix of uppercase and lowercase letters, numbers, and special characters.
Employees shouldn't be using easily guessable information such as birthdays, names, or common phrases.
You'll also need to make sure employees update their passwords and avoid password reuse across multiple accounts.
Use password managers and vaulting
Password management tools and vaulting solutions can be used to securely store and manage passwords.
A password manager will allow employees to generate, store, and autofill complex passwords for different accounts, reducing the reliance on memory and minimizing the risk of password-related vulnerabilities.
You can also use vaulting solutions to centralize storage and access control for privileged credentials.
Audit and monitor user accounts and access
Regularly audit and monitor user accounts and access permissions to detect and mitigate potential security risks.
Conduct periodic reviews of user privileges, permissions, and access levels to ensure that users have the appropriate level of access required for their roles and responsibilities.
Look into risk-based access control methods
Implement risk-based access control methods to dynamically adjust access privileges based on user behavior, context, and risk factors.
You can also use contextual information such as user location, device characteristics, and login patterns to assess the risk level associated with access requests.
Adaptive authentication mechanisms that require additional verification steps for high-risk access attempts (such as MFA) may also help protect against credential phishing.
How to spot and respond to credential harvesting attacks
Monitor network traffic for anomalies
- Regularly monitor network traffic and logs for any unusual or suspicious activities indicative of credential harvesting attempts.
- Look for patterns such as multiple failed login attempts, unusual login locations or times, and repetitive access requests to sensitive resources.
- Implement intrusion detection systems (IDS) and security information and event management (SIEM) solutions to automate the detection of anomalous network behavior.
Investigate user accounts with unauthorized access
- Conduct thorough investigations into user accounts that exhibit signs of suspicious activity.
- Monitor user login activities, privilege escalations, and file access patterns to identify any unauthorized changes or misuse of credentials.
- Implement user behavior analytics (UBA) and anomaly detection techniques to identify deviations from normal user behavior and flag potential security incidents for investigation.
Incident response strategies
- Establish clear incident response procedures and workflows to guide security teams in detecting, containing, and mitigating credential harvesting incidents.
- Define roles and responsibilities, establish communication channels, and prioritize incident response actions based on the severity and impact of the attack.
- Use threat intelligence feeds to enhance incident response capabilities and identify emerging threats.
How to prevent credential harvesting
Make sure you have training in place
If you want to reduce risky behavior and equip employees to deal with security threats, security training is a must-have.
Employees will be brought up to speed on things like phishing emails, social engineering tactics, and password security best practices so that they're able to recognize and avoid potential threats.
Regular training and simulated phishing attacks will give employees a feel for what real threats look like as well as a process for dealing with them.
Implement multi-factor authentication (MFA)
MFA will give you an (essential) extra layer of security that is absolutely necessary for preventing credential phishing.
Although MFA doesn't provide 100% protection, what it does mean is that stolen passwords alone won't be enough to for attackers to gain any unauthorized access.
Regularly update your organization's software and devices
Keep software applications, operating systems, and devices up to date to safeguard against credential harvesters.
Software updates will often include patches and security fixes that address known vulnerabilities exploited by attackers.
Consider investing in security tools and solutions
Here are some of the tools you might want to look into:
- Endpoint security solutions
- Email filtering systems
- Network intrusion detection systems (IDS)
- Encryption technologies
- Identity and access management (IAM) solutions
- Password management tools.
How to simulate credential harvesting attacks
One in three data breaches are caused by credential theft.
Want to empower your end-users to detect and report credential harvesting attacks?
Here's what your training should do:
- Equip your employees with the skills to manage their credentials securely and quantify your risk levels.
- Integrate simulations of well-known login pages into your training, providing instant feedback to end-users as they enter their credentials to improve their skills.
- Monitor your performance and track your performance by tracking the number of end- users entering their credentials.
How credential harvesting attack simulations work in Hoxhunt
Hoxhunt utilizes both credential harvesting email templates and fake login pages to train employees on the entire lifecycle of credential-based attacks.
- Train on safe credential management: Build up end-users' ability to detect and report credential harvesting attacks.
- Simulate trusted login experiences: Mimic sites and login pages that are well-known and trusted by your end-users.
- Report the amount of entered credentials: Monitor and report the number of end-users starting to enter credentials.
- Ensure safe and secure training practices: Hoxhunt allows you to train your end-users securely, without storing any entered data.
Credential harvesting FAQ
How do cybercriminals use harvested credentials?
Cybercriminals use harvested credentials to gain unauthorized access to sensitive systems, accounts, or data belonging to individuals or organizations. They may exploit these credentials for financial gain, identity theft, espionage, or further cyber attacks.
What methods used in credential harvesting attacks?
Common methods used in credential harvesting attacks include phishing emails, where attackers impersonate legitimate entities to trick users into disclosing their credentials, and the use of keyloggers or malware to capture login information.
How can organizations detect and prevent credential harvesting attacks?
Credential harvesting attacks can be prevented by implementing security measures such as multi-factor authentication (MFA), employee training and awareness programs, email filtering and monitoring solutions, and regular security assessments and audits.
What should organizations do if they suspect that their credentials have been compromised?
If credentials have been compromised, immediately change passwords, revoke access to affected accounts, notify relevant stakeholders, and conduct a thorough investigation to identify the source and extent of the breach.
What is the difference between credential harvesting and credential stuffing?
Credential harvesting collects login data, while credential stuffing reuses it to gain unauthorized access across multiple platforms.
Credential harvesting is when attackers actively steal login details through methods such as phishing emails, fake websites, or malware.
Credential stuffing, however, is a brute-force attack using previously stolen login details.
Attackers attempt these credentials on multiple sites, exploiting the common habit of password reuse.
Sources
- Data Breach Investigations Report – Verizon, 2023.
- Cost of a Data Breach Report – IBM, 2023.
- Credential Phishing Threat Trends – Security Magazine, 2022.
- SolarWinds Hack Explained – TechTarget, 2020.
- Colonial Pipeline Attack Insights – CISA, 2022.
- Agent Tesla Malware Evolution – CrowdStrike, 2023.
- RedLine Malware Credential Theft – Security Intelligence, 2023.
- Adrozek Malware Targeting Browsers – Microsoft, 2020.
- Subscribe to All Things Human Risk to get a monthly round up of our latest content
- Request a demo for a customized walkthrough of Hoxhunt