WEBINAR | From Deal to Defense: Unifying Cybersecurity Post-M&A
Reduce Alert Noise and False Positives
Boost your team's productivity by cutting down alert noise and false positives.
Automate Security Operations
Boost efficiency, reduce burnout, and better manage risk through automation.
Dark Web Monitoring
Online protection tuned to the need of your business.
Maximize Existing Security Investments
Improve efficiencies from existing investments in security tools.
Beyond MDR
Move your security operations beyond the limitations of MDR.
Secure with Microsoft 365 E5
Boost the power of Microsoft 365 E5 security.
Secure Multi-Cloud Environments
Improve cloud security and overcome complexity across multi-cloud environments.
Secure Mergers and Acquisitions
Control cyber risk for business acquisitions and dispersed business units.
Operational Technology
Solve security operations challenges affecting critical operational technology (OT) infrastructure.
Force-Multiply Your Security Operations
Whether you’re just starting your security journey, need to up your game, or you’re not happy with an existing service, we can help you to achieve your security goals.
Detection Investigation Response
Modernize Detection, Investigation, Response with a Security Operations Platform.
Threat Hunting
Locate and eliminate lurking threats with ReliaQuest GreyMatter
Threat Intelligence
Find cyber threats that have evaded your defenses.
Model Index
Security metrics to manage and improve security operations.
Breach and Attack Simulation
GreyMatter Verify is ReliaQuest’s automated breach and attack simulation capability.
Digital Risk Protection
Continuous monitoring of open, deep, and dark web sources to identify threats.
Phishing Analyzer
GreyMatter Phishing Analyzer removes the abuse mailbox management by automating the DIR process for you.
Integration Partners
The GreyMatter cloud-native Open XDR platform integrates with a fast-growing number of market-leading technologies.
Unify and Optimize Your Security Operations
ReliaQuest GreyMatter is a security operations platform built on an open XDR architecture and designed to help security teams increase visibility, reduce complexity, and manage risk across their security tools, including on-premises, clouds, networks, and endpoints.
Blog
Company Blog
Case Studies
Brands of the world trust ReliaQuest to achieve their security goals.
Data Sheets
Learn how to achieve your security outcomes faster with ReliaQuest GreyMatter.
eBooks
The latest security trends and perspectives to help inform your security operations.
Industry Guides and Reports
The latest security research and industry reports.
Podcasts
Catch up on the latest cybersecurity podcasts, and mindset moments from our very own mental performance coaches.
Solution Briefs
A deep dive on how ReliaQuest GreyMatter addresses security challenges.
White Papers
The latest white papers focused on security operations strategy, technology & insight.
Videos
Current and future SOC trends presented by our security experts.
Events & Webinars
Explore all upcoming company events, in-person and on-demand webinars
ReliaQuest ResourceCenter
From prevention techniques to emerging security trends, our comprehensive library can arm you with the tools you need to improve your security posture.
Threat Research
Get the latest threat analysis from the ReliaQuest Threat Research Team. ReliaQuest ShadowTalk Weekly podcast featuring discussions on the latest cybersecurity news and threat research.
Shadow Talk
ReliaQuest's ShadowTalk is a weekly podcast featuring discussions on the latest cybersecurity news and threat research. ShadowTalk's hosts come from threat intelligence, threat hunting, security research, and leadership backgrounds providing practical perspectives on the week's top cybersecurity stories.
March 15, 2024
About ReliaQuest
We bring our best attitude, energy and effort to everything we do, every day, to make security possible.
Leadership
Security is a team sport.
No Show Dogs Podcast
Mental Performance Coaches Derin McMains and Dr. Nicole Detling interview world-class performers across multiple industries.
Make It Possible
Make It Possible reflects our focus on bringing cybersecurity awareness to our communities and enabling the next generation of cybersecurity professionals.
Careers
Join our world-class team.
Press and Media Coverage
ReliaQuest newsroom covering the latest press release and media coverage.
Become a Channel Partner
When you partner with ReliaQuest, you help deliver world-class cybersecurity solutions.
Contact Us
How can we help you?
A Mindset Like No Other in the Industry
Many companies tout their cultures; at ReliaQuest, we share a mindset. We focus on four values every day to make security possible: being accountable, helpful, adaptable, and focused. These values drive development of our platform, relationships with our customers and partners, and further the ReliaQuest promise of security confidence across our customers and our own teams.
More results...
We rely on passwords to safeguard those precious accounts that allow us to conduct much of the business of life in cyberspace. Our finances, personal information, and sensitive documents are stored in the cloud, locked behind these sets of alphanumeric and special characters. They’re prime targets for cybercriminals who conduct fraud and account takeover (ATO).
According to Verizon’s 2020 Data Breach Investigations Report, over 80 percent of breaches related to hacking involved brute-force cracking or the use of lost or stolen credentials. Credential lists are widely sold and traded on cybercriminal forums and marketplaces, and full accounts for various services can be bought for even a few dollars.
So what is ATO? Literally, just what it sounds like. An attacker gaining access to a user’s account. Traditionally, this can mean an e-commerce or financial account, which is then used to conduct fraud. Of course such accounts are valuable to attackers, but a wide range of other online services are targeted, from streaming and cable TV subscriptions to VPNs and adult websites.
Our newest research paper From Exposure to Takeover goes over all this and more.
In most cases, a successful ATO requires first acquiring stolen credentials. Attackers can do this by hacking into a company and stealing a database containing credentials, but there are four slightly easier methods we explore in this section:
Credential-stealing malware and phishing campaigns are not the focus of this research, but we would be remiss not to mention them. Numerous types of trojans and keyloggers have this express purpose, and new pieces of malware surface regularly.
Many credential harvesters target banking credentials, in large volumes―they can be highly lucrative and are in high demand on underground marketplace sites. Credential harvesters use a combination of techniques to acquire victim’s details, including man-in-the-browser attacks, which use code injection techniques to inject form fields into the user’s banking website. These fields intercept the victim’s credentials directly from their online banking portal. They’re sent to the attackers, who monetize them directly (via fraudulent transactions) or, more commonly, sell them to other threat actors seeking freshly stolen credentials.
While we’re on the subject of stealing credentials: We’ve also seen some criminal advertisements for domain administrator accesses (login details, credentials or sensitive files from an organization or individual’s machine, used to access systems/infrastructure, data, bank accounts, and/or other accounts). This takes the conversation from “simple” account compromise to complete network compromise, and we’ve seen these accesses sold or auctioned for an average of $3,139 and up to $140,000. The data may not always be valid, but just the concept of a large corporation or government network administrator’s access being sold on criminal marketplaces is, to say the least, unnerving.
Privileged accounts, like administrator accounts, are considered extremely valuable in the criminal underworld. Not only do they give access to a network, but they feature the highest levels of control and trust, and their permissions are nigh unlimited. A person using a privileged account could change system configuration settings, read and modify sensitive data, or give other users access to critical assets.
We found domain administrator-access ads with descriptions including “petrochemical company,” “cybersecurity company,” “architecture and engineering company,” “petroleum company,” “big university,” and various state governments. Some vendors also mention the number of machines on the network, the number of employees, the site’s Alexa ranking, any intellectual property or sensitive documents on the system, and whether any trusts are available, to give buyers an idea of the value of the access.
Another, somewhat more straightforward, option to acquire credentials is just buy them on a cybercriminal marketplace. With Digital Shadows (now ReliaQuest)’ Shadow Search (now ReliaQuest GreyMatter Digital Risk Protection)™, we gathered hundreds of marketplace advertisements for accounts over the past two and a half years across nine active and defunct dark web marketplaces.
Across all these platforms, the average cost of a single account was $15.43. Unsurprisingly, banking/financial services accounts made up most of the listings and were, on average, the most expensive: $70.91. Account accesses for antivirus programs came a distant second place, averaging around $21.67. All other types of accounts were, on average, just under or significantly below $10. Some can even be had for under $2, like file-sharing or video-game accounts.
In addition to being expensive, banking and other financial accounts are rife―accounting for 25 percent of all the access advertisements we observed. This makes sense; when you compromise someone’s bank account, you have direct access to all their funds, plus any sensitive personal information tied to that account. Many of the bank account listings we saw claimed to include the victim’s United States social security number, their physical address, their birthdate, and answers to security questions.
Even though the average cost of one banking account was just under $71, we saw some going for upwards of $500. The price can be influenced by many factors: If it’s confirmed to have a certain amount of funds, if it has personally identifiable information (PII) attached, and its age (older accounts tend to be cheaper). Many higher-priced advertisements advertise “drop” accounts, meaning they can be used to facilitate money laundering or cash-out schemes.
In terms of geography, United States-based accounts were advertised most frequently on criminal forums and marketplaces, followed close behind by Canada, Australia, the United Kingdom, and Germany. Cybercriminals very likely perceive North American accounts as being the most profitable. And in terms of non-financial accounts, the second and third most advertised were for streaming and proxy or VPN accounts: comprising 13% and 12%, respectively.
The listings we observed fit into the 11 categories shown in Figure 6. Many of the categories are for services that can be quite pricey if purchased legitimately. Would you rather pay $10 a month for yet another streaming service, or pay $5 for lifetime access?1 Additionally, accounts for adult websites offer other added benefits, considering that buyers may not want their real names or financial information associated with these services.
In any case, account accesses are relatively cheap. This is probably, at least partly, because of two main factors:
1 By “lifetime” we actually just mean the time it takes for the account owner to realize their account has been compromised. This can be days, weeks, months, years, or never.
A happy medium between harvesting your own credentials and purchasing stolen credentials is renting account access. We’ve been closely following the emergence and subsequent rise of certain markets for this kind of service, like Genesis Market, which we first identified in April 2018.
These markets have their own injects and botnets harvesting credentials. But rather than buying a credential, you can rent an identity for a given period for less than $10 (with prices increasing depending on the type of access). The market also collects browser fingerprint data (such as cookies, IP addresses, time zones) from victims, making it considerably easy to perform ATO and transactions that go unnoticed.
Although other markets have since emerged as contenders, such as UnderWorld Market (formerly RichLogs) and Tenebris, Genesis Market retains its crown, being the most popular. In Figure 11 you can see how it dominates discussions about fingerprinting, with 65 percent of references across criminal markets.
Although a threat actor could buy or rent account access, they’d be passing up an awful lot of credentials being shared for free on certain cybercriminal forums. A significant amount of Digital Shadows (now ReliaQuest)’ technology and closed-sources resources are devoted to finding these credentials, so you don’t have to. Databases of breached credentials are commonly shared for free on these forums; after someone posts a hashed data set, other forum users work on dehashing it and then post the plaintext passwords as a database.
To date, we’ve discovered 15 billion-plus credentials, stemming from more than 100,000 discrete breaches. Of these credentials, more than 5 billion are unique.
Users of Russian-language cybercriminal forums like Exploit and XSS often freely share credentials for entertainment services with other forum members. These can range from individual credential pairs to files containing thousands of valid accounts.
These free accounts are typically limited to music and video streaming services, because:
A. Cybercriminals don’t want to pay for their own streaming, and/or
B. Cybercriminals obtain many accounts as byproducts, so they may sell the valuable goods (e.g. an expensive set of banking credentials) and share any leftovers for free (e.g. streaming credentials).
How very thoughtful.
Whatever the motive for their “philanthropy”, cybercriminals are building a sense of community on the forums they use―which is one of the critical determiners of a forum’s overall success. The more forum users feel an element of camaraderie with their fellow users, the more likely they are to stick around, if not just for the free streaming accounts. We wrote about this in greater detail in our research paper The Modern Cybercriminal Forum.
So now that we’ve shared a few examples of what happens with stolen credentials, how are these actually obtained? Part 2 of this blog series will go over some examples of the tools cybercriminals use to gain access to your accounts.
If you can’t wait that long, go ahead and download our full, in-depth report, When Exposure Becomes Takeover.
Don’t miss out on our on-demand webinar, where the authors take a deep dive into the research, check out the recording here: https://resources.digitalshadows.com/webinars/account-takeover-webinar