Who gets paid to steal our passwords and logins?
Cybercriminals now value user information, like usernames and passwords that let them into different services, very highly. A study from 2023 from Verizon says that 83% of leaks are caused by outsiders. Also, hackers get into company systems and networks 49% of the time by using stolen passwords.
One of the best tools is phishing, which is a type of social engineering. People are usually tricked by fake emails that look like they are from well-known companies or government agencies and ask them to sign up or log in to a website that looks like it is real. Here, the person gives the scammers his information himself, so there is no need for any other fraud.
Many security steps have already been made to stop phishing. Because of this, thieves are always getting better and coming up with even smarter schemes.
Sending a phishing email first, then a call or voice message from a bank or other group is a new method. To get the victim to believe them, this is done. Attacks are also made more specific by using smartphone apps and artificial intelligence (AI) technologies.
People who are better at phishing sell their tools and tried-and-true methods on the black market. It's known as "phishing-as-a-service" (PaaS).
One well-known tool is the W3LL panel from the same-named group. It even has its own black market called the W3LL Store. The tool is made to break into Microsoft 365 business email. One of the most advanced forms of phishing that is growing on the dark web, it lets you get around multi-factor authentication.
Researchers say that this tool was used to break into at least 8,000 of the 56,000 Microsoft 365 accounts between October 2022 and July 2023.
The W3LL developers are selling more useful things besides the mailbox hacking tool, such as:
- Email address lists that have been hacked
- Information on how to get into hacked email accounts
- Get to info for VPN connections that have been hacked
- Hackers can get into websites and online services
- Templates and tools that are already made to organize phishing emails
- Greatness is a related tool that is also used to get around multi-factor authentication (MFA) and is aimed at Microsoft 365 users.
An employee is tricked into logging in to a fake Microsoft 365 account by a scam email. For extra safety, the email address is already filled in on the form. Greatness connects to the service and gets around MFA by asking the target to enter the code on a fake page after they enter their password. Hackers can then use this code to get into the real account because it is sent to a secret Telegram channel. To install and set up the Greatness suite, you need an API key.
On the dark web in 2022, more than 24 billion accounts that had been hacked were for sale. It costs anywhere from a few dollars for a simple account to thousands of dollars to get entry to bank accounts.
To buy data, you need to be able to get into certain underground sites. This sometimes needs a request from a member who is already there. The information that was gathered is used to commit scams, steal money, and do other illegal things.
Reusing identities, which means people who use the same usernames and passwords on different sites, is a very big risk. Attackers can get into the company network even if the systems are very well protected. All it takes is for an employee account to be hacked on another site.
There are numbers that show that more than 80% of people log into different systems with the same login. This is what hackers use to their advantage.
Companies are told to use special tools to block known passwords that have been stolen to lower their risks.
One example is the Specops Password Policy service, which lets you keep more than 4 billion passwords out of the Active Directory database. If that kind of password is tried to be set, the system will tell the worker to make a new, safer one.
So, you can make both business and personal accounts much safer by using an integrated method and modern technologies. This means making it harder for people to commit cybercrime and keeping the company from losing money.