How does email security prevent credential harvesting?

Why does credential harvesting pose a risk to organizations?

Credential harvesting is a common technique ransomware groups and initial access brokers (IABs) use to gain access to sensitive information, such as financial data, customer records, and intellectual property. 

• Data Theft: Attackers use stolen credentials to steal, manipulate, or leak sensitive data and proprietary information. This data may include customer records, financial data, intellectual property, and other confidential information.
• Disruption of Operations: Attackers disrupt an organization's operations by using stolen credentials to lock users out of their accounts, encrypt files (ransomware attacks), or manipulate critical systems. Disruptions like these can lead to downtime and financial losses.
• Financial Loss: Unauthorized access and data breaches can result in direct financial losses, such as theft of funds, fraudulent transactions, or legal costs associated with data breach notifications and regulatory fines.
• Reputation Damage: Credential harvesting data breaches can negatively impact an organization's reputation. Loss of trust from customers, clients, and partners can have long-lasting consequences.
• Legal and Regulatory Consequences: Depending on the jurisdiction, organizations may be subject to various legal and regulatory requirements for protecting user data. Failure to do so can lead to legal consequences, fines, and other sanctions.
• Compromised Accounts: Even if attackers do not gain access to sensitive systems, they can leverage compromised accounts to launch further internal and external attacks against the organization, including spear-phishing campaigns that target employees, customers, or partners.

What are some common credential-harvesting techniques?

There are multiple ways cybercriminals can steal an organization's credentials. Here are some of the most prominent.

Phishing Emails

Attackers craft phishing emails to appear legitimate and urgent. These emails may contain alarming content, such as warnings about security breaches, account suspension, or enticing offers. Phishing emails use many forms of impersonation to create a sense of urgency and trick recipients into taking action. 

Impersonation

Ransomware groups often use various impersonation techniques to gain trust, deceive victims, and successfully deliver their malicious payloads. Below are some common types of impersonation methods employed by ransomware groups:

• CEO or Executive Impersonation: Attackers may impersonate high-ranking executives or company leaders in phishing emails to make their requests credible and create a sense of urgency. These emails often request sensitive information or actions from employees.
• Brand Impersonation: Attackers may pretend to be well-known brands or products in phishing emails or on malicious websites to trick users into downloading malware or revealing sensitive information. As of July 2023, the top impersonated brands include Microsoft (29%), Google (19.5%), Apple (5.2%), Wells Fargo (4.2%), Amazon (4%), and Walmart (3.9%). 
• IT Support Impersonation: Attackers may pose as IT support personnel, asking users to download and run malicious software under the pretext of resolving technical issues leading to a potential ransomware infection.
• Cloud Service Providers: Some ransomware groups imitate popular cloud service providers like Microsoft or Google in phishing emails. They may claim security issues with the victim's account and ask for login credentials.
• DNS Impersonation: Attackers impersonate DNS servers or manipulate DNS settings to redirect victims to legitimate-looking but malicious websites or servers, where they may unknowingly download ransomware. The fraudulent website may also install malware to give attackers sustained access to the user's device and data.

Malicious websites

Phishing emails often contain links to what looks like a legitimate website but go to a malicious website designed to steal users' credentials and other personal information. These emails may contain urgent messages, such as an essential security policy update or a warning that the user's account has been compromised and requires account verification. When victims click on the provided link, they are redirected to a fraudulent login page and prompted to enter their username and password. The victim's information is then sent to the attacker. 

These websites may also deploy malware. When a user clicks on the link, it downloads and opens a malicious file. Once installed on a computer, the malware can steal users' credentials and spread to other systems. 

Initial Access Brokers

Using initial access brokers (IABs) is a growing cybercrime trend. It helps ransomware groups and their affiliates scale faster and target more organizations simultaneously to increase their success rate. IABs sell compromised corporate networks access to other cybercriminals, such as ransomware gangs and their affiliates. 

IABs act as a force multiplier for ransomware groups and affiliates by providing access to already breached networks. By outsourcing the initial access, ransomware gangs can focus on developing, maintaining, and deploying ransomware and growing affiliate operations.

How is phishing used for ransomware attacks?

Understanding the role credential harvesting plays at pivotal stages within the attack lifecycle is vital to successfully defending against cyber threats. 

Reconnaissance: Before infiltrating an organization, attackers gather as much information as possible about their target to plan their campaign.

• Open-source Intelligence (OSINT) Gathering: Threat actors use OSINT tools like Shodan to uncover information about a potential target, including identifying key individuals, scanning for vulnerabilities, and researching employees on LinkedIn.

Initial Access: Ransomware groups use phishing emails, social engineering, unpatched vulnerabilities, or stolen or weak credentials to infiltrate an organization. Credential harvesting comes into play when attackers aim to acquire valid login credentials.

Escalation & Lateral Movement: Once inside the network, attackers may exploit vulnerabilities to gain higher-level access or move into other systems.

• Pass-the-hash attacks: A type of credential harvesting that allows attackers to escalate privileges using captured hashed credentials (password hashes) from one system and to authenticate and access another system.

Data Exfiltration: In some cases, before deploying the ransomware, attackers exfiltrate sensitive data from the organization's systems. This data is used to pressure the victim into paying the ransom. If the victim refuses to pay, the attackers may leak the data publicly.

Ransomware Deployment, Execution, and Encryption: Once the attackers are confident in their access and have identified critical systems, they deploy the ransomware. 

Impact and Recovery: The victim organization faces significant disruption, financial losses, and potential data exposure due to the ransomware attack. Recovery involves restoring systems from backups, removing malware, and sometimes negotiating with the attackers to obtain the decryption key.

How do you identify credential harvesting?

Follow these best practices to avoid potential cyberattacks that use credential harvesting.

• Scrutinize the Sender's Email Address: Phishing emails often use deceptive addresses that closely resemble legitimate ones. Look for subtle misspellings or unusual domain names.
• Analyze Email Headers: In advanced cases, you can examine the email's header information to check for anomalies or signs of spoofing. 
• Check for Urgent or Threatening Language: Phishing emails often use time-sensitive language, threats, or fear tactics to pressure you into taking immediate action. Be suspicious of emails that claim your account will be suspended or that you will face legal consequences if you don't act promptly.
• Verify Links: Do not click, but hover your mouse pointer over any links in the email to see the entire URL and where the link leads. Be cautious if the link's destination doesn't match the supposed sender or if it leads to a suspicious or non-standard domain.
• Inspect the URL in the address bar closely. Ensure it's a legitimate and secure website. Be cautious if the URL starts with "http://" instead of "https://," as the former is less secure.
• Scrutinize the Content: Poor grammar, spelling mistakes, and awkward sentence structure are common in phishing emails. Legitimate organizations typically pay better attention to detail in their communications.
• Beware of Unsolicited Attachments: Do not open attachments or download files from unsolicited emails, especially if they have suspicious file extensions like .exe, .zip, or .js.
• Cross-Check Information: If the email claims to be from a known organization, contact that organization directly (not through email) to verify the request's legitimacy.
• Use Caution Around Pop-Up Forms: Some phishing emails contain pop-up forms that request sensitive information like passwords or credit card details. Legitimate organizations typically do not ask for such information via email.
• Use an Email Filter: Employ email filtering software that can automatically detect and flag potentially malicious emails. Most email services have built-in spam filters.
• Report Suspected Phishing: If you receive a suspicious email, report it to your organization's IT or security team and follow their guidance. Most email services also have options to report phishing emails.

What steps can you take against credential harvesting?

Credential harvesting is a significant threat because it preys on human psychology and trust. It relies on social engineering tactics and the assumption that victims may not thoroughly scrutinize the legitimacy of the communication they receive. To protect against credential harvesting attacks, individuals and organizations should:

• Utilize an email security solution that scans and quarantine potentially malicious emails to protect your organization.
• Train employees and users about the dangers of phishing and how to recognize phishing attempts. Regular security awareness training can help raise awareness.
• Implement robust password policies and use multi-factor authentication (MFA) to add additional layers of security beyond just usernames and passwords.
• Conduct regular security assessments and penetration testing to identify vulnerabilities.
• Monitor security and incident response procedures.
• Continuously update and patch known vulnerabilities for software and systems. 
• Regularly review and update access control and permission settings.
• Employ advanced threat detection and prevention tools.
• Develop and test incident response plans to minimize the impact of a breach.
• Keep data encrypted so that even if it's stolen, it's useless to the hacker. Complete regular security scans to identify suspicious activities on the network.
• Encourage users to verify the legitimacy of communications, especially when they involve sensitive information or requests for login credentials.
• Use anti-phishing pools that filter, detect, and block phishing attempts.

How does Trellix Email Security help prevent credential harvesting?

Trellix Email Security prevents credential harvesting through a comprehensive and rigorous testing process that includes:

• URL Inspection: We analyze URLs and phishing emails to detect any attempts to lead users to malicious websites.
• Website Inspection: Our software inspects the websites themselves for common elements associated with phishing. 
• Visual and Content Analysis: We employ image graphing techniques to identify websites impersonating legitimate brands to determine if a website or pop-up is a malicious copycat.
• Machine Learning: Our SkyFeed machine learning models crawls over 60 different sources of data, including research blogs, forums, third-party intelligence feeds, and contact content produced by the top security researchers to gather intel on malicious URLs pointing to ransomware sites with malicious payloads, command and control domains, and block list URL's.
• Malware Detection: We proactively search for top malware families to stay updated, and the process is fully automated, ensuring we maintain up-to-the-minute visibility and updates.
• Natural Language Processing: Trellix utilizes natural language processing to analyze unstructured text data, identifying patterns in phishing trends. For example, we use fuzzy string similarity algorithms to identify text, such as signing in with your email address. We train our model regularly to ensure the classifier knows the latest phishing trends.
• Deeper Website Inspection: Our crawlers interact with website content, clicking URLs and downloading files like Word, Doc, or PDF to check for embedded URLs.
• Knowledge Base: We've developed a knowledge base of known bad artifacts that we continually use for similarity analysis, and we continue to add new malicious artifacts as we discover them.
• Domain Object Model: Using the hierarchical structure of web pages, our software detects patterns in phishing pages. Our model was developed based on 30 handpicked DOM features and more than 100,000 known malicious and banana or benign web pages to test which model worked best for identifying similarities to known phishing sites.