Anatomy of Credential Theft

By 17th September 2018 Blog No Comments

Credential Theft lies behind most cyber-attacks today.(1) An astonishing 81% of hacking breaches leverage stolen passwords. (2)

Part of the problem is that network perimeter security is no longer effective in a cloud world, as compromise is not detected by traditional on-premise security appliances, information security systems or email scanning services.

The other problem is user-based. Credential phishing emails are getting more sophisticated, and IT users are being convinced to enter their login details by following fake links masquerading as normal business processes. A good example is an email asking to review a DocuSign document, like this:


The link will lead to a login page that looks familiar but is a fake site for harvesting credentials.

Once the credentials are harvested, attackers can easily by-pass perimeter defences and become the insiders. 


  1. Source: Information Age
  2. Source: Verizon 2017 Data Breach Report


What happens in Credential Theft – What’s the damage?

The impact of credential theft is instant and costly – leading to theft of data, reputational loss and targeted whaling attacks.


Stage 1. Data Compromise & Reconnaissance

The attacker will usually look at what data is available in the email system and associated user file stores (OneDrive, Dropbox, SharePoint, etc.). They will be looking for data associated to financial transactions for potential future Whaling attacks (see Stage 3. Whaling)

Whilst accessing email data, the attackers will be looking for email related to payment information and authorisation processes, workflows and business relationships – anything that can be used for a more targeted attack.

In addition, the attacker will be looking for email distribution lists and personal address books.

It is usual for the attacker at this stage to set up a mailbox forwarding rule, so that all future emails to the compromised account get sent automatically to the attackers account (without the real owner knowing).


Stage 2. More Credential Harvesting

This is the most damaging stage from a business reputation perspective. The attacker logs into the hacked email account and sends a phishing email to all the email addresses gathered in the previous stage.

This is not detected by any email scanning systems as it looks genuine, is outgoing and there is potentially no previous history of the link being malicious.

This is often sent to clients, and with it being sent from a legitimate business email account and domain that they are familiar with, it is likely that recipients will click on the link to review the file that is being sent.

Of course, there is no file, and the login doesn’t work, but that’s irrelevant – the credentials will now be harvested for everyone who clicks on the link and tries to download.

This means that you can potentially compromise your customer without even knowing.


Stage 3. Whaling

This is the final stage of the attack and is usually targeted towards a senior executive who signs off invoices for payment, this is known as ‘Whaling’. Part of the reconnaissance phase will be to identify the process for payment authorisation.

The attacker then submits an email for an urgent request for payment – either from the compromised account, or from a spoofed email account. For example, this could be an accounting executive’s compromised account, submitting a fake invoice for sign off by the Financial Director.

The attacker deletes the items they send from the sent folder so that the genuine account owner has less chance of seeing the request.


How to Stop an Attack

There are two effective ways to stop attacks:

  1. Tighten data security through policy-based controls – e.g. Multi Factor Authentication on all cloud application accounts, Conditional Access and Mobile Device Management.

  2. Setup real-time analysis of log files and look for suspicious events across cloud applications, and block the attacks before they happen.


Syntax have a launched a new service to combat credential theft