How do cyber-criminals use credential phishing attacks to steal vital business data?

4 Oct 2018

© adimas/

Enterprises are increasingly finding themselves the targets of cyber-criminals seeking access to business systems using credential phishing – but what makes it so effective?

Cybersecurity officers have a litany of threats to think about, but one particular attack vector is growing in popularity, according to research from Menlo Security.

The method, known as ‘credential phishing’ is becoming increasingly common. While the most popular example of a credential phishing campaign was the 2016 attack on the former Hillary Clinton campaign chair John Podesta, it is not just political figures being targeted. The general trend shows that organisations are now being targeted, rather than consumers.

Prime targets for credential phishing

Potential marks for credential phishing campaigns include political campaigns, public agencies, enterprises and anyone with valuable data. In general, attackers are nation-state linked groups, advanced persistent threats, career cyber-criminals and hacktivists.

The general attack methods fall into two camps. Some mimic an authentic-seeming login website to harvest credentials, while others can often hijack an existing login page. Credential phishing attacks are, according to Menlo Security, often the spark for a much larger and more destructive attack. Phishing emails are simply how the threat gains network access before demanding a ransom, stealing data or causing general destruction.

Exploiting the weakest link

Credential phishing attacks prey on the weakest link in any organisation’s cybersecurity strategy: people. If a legitimate-seeming email from your boss, your bank or a trusted internet firm such as Google lands in your inbox, you may fall victim.

As the report explains: “[Attackers] use email messages that induce fear, a sense of urgency, curiosity, reward and validation, an emotionally charged response by their victims, or simply something that is entertaining and a distraction to convince, cajole or concern even seasoned users into opening a phishing email.”

Lax enforcement of security policies is another big risk. According to data from Menlo Labs, 1.3pc of the URLs in received emails were clicked across its customer base over the last month. Enforcement of policies such as multi-factor authentication take time and users are often reluctant to change workflows.

What are the characteristics?

The latest Verizon Data Breach Digest found that a massive 72pc of enterprise data breaches originate from phishing attacks and every industry from finance to entertainment is a target. Menlo Labs found that the most popular day for attackers to send a phishing email was Tuesday.

Workplace productivity tools such as OneDrive and Office365 were popular targets as people are likely to click these links from a work computer. Expiring passwords and a fear of being locked out of work emails were characteristics of many credential phishing emails.

The report added: “Most fascinating, perhaps, is that in every industry, the attack set-up, deployment and results are exactly the same: A user’s secure credentials and possibly other PII (personal identifiable information) is stolen, and an attacker is able to access that user’s email account, banking and financial accounts, healthcare information, and more .”

The nature of the attacks are also highly individualised. “Credential phishing attacks are not intended for mass delivery. Instead, they are typically targeted to a specific individual who the attackers know has the required credentials to access the information they want.

“These attacks do not use a cookie-cutter approach since the TTPs (tactics, techniques and procedures) are often tailor-made to target a specific organisation, group, or individual.”

Ellen Tannam was a journalist with Silicon Republic, covering all manner of business and tech subjects