Account credentials, a popular initial access vector, have become a valuable commodity in cybercrime. As a result, a single set of stolen credentials can put your organization's entire network at risk.
账户凭证,一个常见的初始访问入口,已经成为网络犯罪中宝贵的商品。因此,一组被盗凭证就可能会让你的整个组织网络陷入风险。
According to the 2023 Verizon Data Breach Investigation Report, external parties were responsible for 83 percent of breaches that occurred between November 2021 and October 2022. Forty-nine percent of those breaches involved stolen credentials.
根据2023年Verizon数据泄露调查报告,外部方负责发生在2021年11月至2022年10月之间的83%的泄露事件。其中49%的违规行为涉及被盗的凭证。
How are threat actors compromising credentials? Social engineering is one of the top five cybersecurity threats in 2023. Phishing, which accounts for %of social engineering attempts, is the go-to method for stealing credentials. It's a relatively cheap tactic that yields results.
黑客是如何获取凭证的?社会工程是2023年前五大网络安全威胁之一。钓鱼是社会工程攻击的一种方法,占社会工程尝试的%,是获取凭证的首选方法。这是一种相对便宜但能产生结果的策略。
As phishing and social engineering techniques become more sophisticated and the tools become more readily available, credential theft should become a top security concern for all organizations if it already isn't one.
随着钓鱼和社会工程技术变得更加复杂,并且工具变得更容易获得,如果当前还不是的话,凭证盗窃应该成为所有组织的首要安全关注点。
Phishing has evolved
钓鱼已经演变
With phishing and social engineering in general, threat actors are looking beyond using just emails:
-
Phishing campaigns are now multi-channel attacks that have multiple stages. In addition to emails, threat actors are using texts and voicemail to direct victims to malicious websites and then using a follow-up phone call to continue the ruse.
钓鱼活动现在是多渠道攻击,有多个阶段。除了电子邮件,威胁行为者还使用短信和语音邮件引导受害者访问恶意网站,然后通过跟进电话来继续欺骗。
-
Threat actors are actively targeting mobile devices. Credentials can be compromised because users can be fooled by social engineering tactics across different apps. Half of all personal devices were exposed to a phishing attack every quarter of 2022.
威胁行为者正在积极地瞄准移动设备。凭证可能会被盗,因为用户可能会在不同的应用程序中受到社会工程攻击的欺骗。2022年每个季度都有一半的个人设备遭受钓鱼攻击。
-
AI has become a factor. AI is being used to make phishing content more credible and to widen the scope of attacks. Using victim research data, AI can createpersonal phishing messages and then refine those messages to add a veneer of legitimacy to get better results.
AI已成为一个因素。AI被用来使钓鱼内容更加可信,并扩大攻击范围。利用受害者研究数据,AI可以创建个性化的钓鱼消息,然后优化这些消息,使其更具合理性以获得更好的效果。
PhaaS is the road to stolen credentials
PhaaS是被盗凭证之路
Still, not much is really needed to begin stealing credentials. Phishing has become good business as threat actors fully embrace the phishing-as-a-service (PhaaS) model to outsource their expertise to others. With the phishing kits that are sold on underground forums, even novices with no skills to infiltrate IT systems by themselves can have the capability to launch an attack.
但其实并不需要太多条件来开始窃取凭证。钓鱼已经成为一个良好的业务,因为威胁行为者通过全面采用钓鱼服务(PhaaS)模式将其专业技能外包给其他人。通过在地下论坛上出售的钓鱼工具包,甚至连没有自己渗透IT系统技能的新手也可以发动攻击。
PhaaS operates like legitimate SaaS businesses. There are subscription models to choose from and the purchase of a license is required for the kits to work.
PhaaS的运营方式类似于合法的SaaS企业。有订阅模式可供选择,购买许可证才能使用工具包。
Advanced phishing tools used to target Microsoft 365 accounts
用于攻击Microsoft 365帐户的高级钓鱼工具
W3LL's BEC phishing ecosystem exposed
W3LL的BEC钓鱼生态系统曝光
For the past six years, threat actor W3LL has been offering its customized phishing kit, the W3LL Panel, in their underground market, the W3LL Store. W3LL's kit was created to bypass multi-factor authentication (MFA) and is one of the more advanced phishing tools on the underground market.
过去六年来,威胁行为者W3LL一直在地下市场W3LL Store中提供其定制的钓鱼工具包W3LL Panel。W3LL的工具包专为绕过多因素认证(MFA)而设计,是地下市场上更高级的钓鱼工具之一。
Between October 2022 and July 2023, the tool was used to successfully infiltrate at least 8,000 of the 56,000 corporate Microsoft 365 business email accounts that were targeted. W3LL also sells other assets, including victims' emails lists, compromised email account, VPN accounts, compromised website and services and customized phishing lures. It is estimated that the revenue for the W3LL Store for the last 10 months was as much as $500,000.
在2022年10月至2023年7月期间,该工具已成功渗透了至少56,000家公司的Microsoft 365商业电子邮件帐户中的8,000个,W3LL还出售其他资产,包括受害者邮件列表、受损的电子邮件帐户、VPN帐户、受损的网站和服务以及定制的钓鱼鱼饵。据估计,W3LL Store过去10个月的收入高达50万美元。
Greatness phishing kit simplifies BEC
Greatness钓鱼工具简化了BEC
Greatness has been in the wild since at November 2022 with sharp jumps in activity during December 2022 and again in March 2023. In addition to Telegram bot integration and IP filtering, Greatness incorporates multi-factor authentication bypass capability like the W3LL Panel.
Greatness自2022年11月以来一直在使用之中,在2022年12月和2023年3月再次频繁使用。除了Telegram bot集成和IP过滤外,Greatness还具有绕过多因素认证的能力,就像W3LL Panel一样。
Initial contact is made with a phishing email that redirects the victim to a phony Microsoft 365 login page where the victim's email address has been pre-filled. When the victim enters their password, Greatness connects to Microsoft 365 and bypasses the MFA by prompting the victim to submit the MFA code on the decoy page. That code is then forwarded to the Telegram channel so that the threat actor can use it and access the authentic account. The Greatness phishing kit can only be deployed and configured with an API key.
初始联系是通过一个钓鱼电子邮件,将受害者重定向到一个虚假的Microsoft 365登录页面,受害者的电子邮件地址已经预填。当受害者输入密码时,Greatness会连接到Microsoft 365,并通过在幌子页面上提示受害者提交MFA代码来绕过MFA。然后该代码会被转发到Telegram频道,以便威胁行为者使用并访问真实帐户。Greatness的钓鱼工具只能通过API密钥部署和配置。
The underground market for stolen credentials
被盗凭证的地下市场
In 2022, there were more than 24 billion credentials for sale on the Dark Web, a increase from 2020. The price for stolen credentials varies depending on the account type. For example, stolen cloud credentials are about the same price as a dozen donuts while ING bank account logins will sell for $4,255.
2022年,Dark Web上有超过240亿份凭证出售,比2020年增加。被盗凭证的价格因帐户类型而异。例如,被盗的云凭证的价钱大约等于一打甜甜圈,而ING银行帐户登录将售价定为4,255美元。
Access to these underground forums can be difficult with some operations requiring verification or membership fee. In some cases, such as with the W3LL Store, new members are only allowed upon recommendation of existing members.
访问这些地下论坛可能会很困难,有些操作需要验证或会费。在某些情况下,比如W3LL Store,只有在现有成员推荐的情况下才允许新成员加入。
The dangers of end-users using stolen credentials
使用被盗凭证的最终用户面临的危险
The risks of stolen credentials are compounded if end-users are reusing passwords across multiple accounts. Threat actors are paying for stolen credentials because they know many people, more than, use the same password across multiple accounts and web services for both personal and business purposes.
如果最终用户在多个帐户上重复使用密码,被盗凭证的风险会因此而加剧。威胁行为者正在购买被盗的凭证,因为他们知道有很多人(超过某个数量)在个人和业务目的上跨多个帐户和网络服务上使用相同的密码。
No matter how impenetrable your organization's security may be, it can be difficult to prevent the reuse of valid credentials stolen from another account.
无论你的组织安全性有多难以渗透,要防止从其他帐户窃取的有效凭证的重复使用可能是很困难的。
Financial gain is the motivation behind stolen credentials
被盗凭证的动机是获得经济利益
After stealing account credentials, threat actors can distribute malware, steal data, impersonate the account owner and other malicious acts with the compromised email account. However, the threat actors who steal the credentials are often not the ones who will use the information.
窃取帐户凭证后,威胁行为者可以分发恶意软件、窃取数据、冒充帐户所有者以及其他恶意行为。然而,窃取凭证的威胁行为者通常并不是会使用信息的人。
Financial gain remains the main reason behind 95% of breaches. Threat actors will sell the credentials they have stolen on underground forums for a profit to other threat actors who will use them weeks or months later. This means that stolen credentials will be the driving force behind underground markets well into the future. What steps are you taking to secure user credentials in your organization?
获得经济利益仍然是95%违规行为背后的主要原因。威胁行为者将他们窃取的凭证以获利的方式出售给其他威胁行为者,这些人将在几周或几个月后使用这些凭证。这意味着被盗的凭证将继续是地下市场未来发展的推动力。你在组织中采取了什么措施来保护用户凭证?
Block compromised passwords
阻止被盗密码
Eliminate the security risks of compromised passwords with Specops Password Policy with Breached Password Protection that allows you to block more than 4 billion known compromised passwords from your Active Directory. All users will be prevented from using known compromised passwords and guided towards creating a different password that fits your policy. Also, if continuous scan is activated, users will be alerted by SMS or email as soon as their password has been discovered to be compromised.
使用Specops Password Policy的泄漏密码保护功能可以消除被盗密码的安全隐患,允许你屏蔽超过40亿个已知的被泄露密码。所有用户都将被阻止使用已知的被泄露密码,并被引导创建符合你的策略的不同密码。此外,如果启用了持续扫描,一旦发现用户的密码被泄露,用户将通过短信或电子邮件收到警报。
You can fortify your password infrastructure by using the custom dictionary feature that allows you to block words common to your organization as well as weak and predictable patterns. Enforce a stronger password policy that meets today's compliance requirements with Specops Password Policy. Try it free here.
你可以通过使用自定义字典功能来强化你的密码基础设施,该功能允许你屏蔽你组织中常见的词汇,以及薄弱和可预测的密码模式。通过使用Specops密码策略来执行符合当今合规要求的更强密码策略。
原文始发于微信公众号(知机安全):网络钓鱼是如何盗取用户凭证的
- 左青龙
- 微信扫一扫
-
- 右白虎
- 微信扫一扫
-
评论