Story image

Credential theft industry booming in US, declining in Asia & EU

10 Oct 18

Compromised credentials are a constantly occurring headache for businesses and consumers around the world.

However, research from enterprise-class cyberthreat intelligence company Blueliv shows the rate of stolen credentials depends significantly on where you are in the world.

It was a great harvest for cybercriminals targeting North America in the second quarter of 2018, as compromised credentials retrieved from botnets geolocated to the region skyrocketed 141 percent quarter over quarter (March to May 2018 over June to August 2018).

Meanwhile, Europe and Russia actually saw a decrease of 22 percent, while Asia plummeted 36 percent. Obviously, there were some profitable campaigns in North America over the quarter.

The data holds even more insights when taken to a deeper level. For instance, between just July and August, geolocated credentials detected from Europe and Russia fell 33 percent, while Asia surged 77 percent.

According to Blueliv, this suggests a sizeable botnet was taken down in Europe, while a campaign targeting Asia was thriving.

“All it takes is a single good credential for a threat actor to gain access to an organisation and cause havoc,” says Blueliv CEO and founder Daniel Solís .

“We are observing a booming market for credential theft, and the latest statistics show that this sort of cybercrime is a truly global enterprise. By understanding the lifecycle of the compromised credential, CISOs seeking to protect their business and analysts looking for IOCs gain valuable information to shrink their attack surface.”

In terms of the malware families being used by cybercriminals, Pony, KeyBase, and LokiPWS (also referred to as Loki Bot) were consistently the most common tools of choice, but when it comes to popularity Pony has always been several lengths ahead of its counterparts.

However, LokiPWS is hot on its heels as in May its distribution had gone through the roof by more than 300 percent year over year. During the second quarter LokiPWS samples almost doubled, with a 91 percent increase quarter over quarter.

Solís says the growth of LokiPWS is of particular concern. It can be used as both a loader for other malware as well as a password and cryptowallet stealer. It is widely available from a variety of underground markets as a modular product, usually priced between US$200-300 depending on the desired use.

“Our analysts have been following the development of a huge variety of malware families,” says Solís.

“Source code leaks of different versions of LokiPWS in recent years have probably influenced its increase in usage as a credential stealer, but this does not mean that we should discount the likes of Pony, Emotet, KeyBase and AZORult, which continue to be disturbingly effective around the world.”

Blueliv shares its intelligence in a bid to socialise cybersecurity and encourage parity to enable businesses around the world to fight cybercrime collaboratively.