Credential Phishing

One of the most common types of email-based cyber attacks, accounting for 69% of all advanced email attacks. Credential phishing emails are designed to appear as legitimate communication regarding an existing online account with a goal of tricking victims into logging in to their account. Once they do so, the attacker has access to usernames and passwords, from which they can use to compromise additional services or, when the account compromised is an email account, launch additional attacks.

A credential phishing email message contains a link to a malicious website designed to resemble a legitimate login page. It solicits the victim into submitting their credentials, usually under the pretext of account authentication or identity validation. Once a victim submits their credentials to the phishing page, the username and password are sent to the attacker, effectively compromising the account.

Many phishing websites are difficult to distinguish from their legitimate counterparts, with only a few subtle differences from the original. The process for making one of these websites can include cloning the real website, adjusting the login page to point to a credential-stealing script, and bundling the files together in a zipped file known as a phishing kit.

A phishing kit is essentially a collection of files needed to stand up a fully-functioning phishing site. Once a phishing kit is uploaded to the attacker’s designated phishing website, it is unzipped and the phishing site is effectively live. With the infrastructure in place, the attacker can send emails impersoanting the target that point back to the site. At that point, all there is left to do is wait for the credentials to roll in.

Sophisticated phishing attacks are targeted and difficult to identify. They can bypass traditional security in several ways.

1. Emails appear legitimate because the sender is using a compromised account or a convincing spoof. In many cases, the attacker will set up authentication protocols like SPF or DMARC to give additional validity to their domain.

2. The link included in the email isn’t inherently suspicious, with subtle URL changes that are difficult to notice or have not previously been seen by threat intelligence-based systems.

3. There’s no malicious attachment included in the email.

Credential phishing attacks also contain manufactured urgency and social engineering tactics that make victims overlook suspicious signs. For example, they may state that the user only has one hour to verify their account before they lose access.

Prior to 2017, most credential phishing attacks targeted individual credentials at financial institutions; however, as other cyber attacks shifted focus from individual to enterprise targets, so did credential phishing.

Enterprise credentials can be used for a wide variety of purposes, which makes them much more valuable to cybercriminals. For example, employee credentials can be used to collect payment-related communications as part of the initial stage of a business email compromise attack. In other instances, they can be used to pivot to other cloud applications and steal sensitive documents. And when they compromise Microsoft and Google accounts, they can be used as a platform to send additional phishing campaigns from legitimate infrastructure.

This flexibility is why enterprise credentials are often a golden ticket for cybercriminals and why credential phishing attacks represent a significant risk to all organizations.

Credential phishing relies on tricking targets by manufacturing urgency and impersonating a trusted sender—whether a brand, an internal party, or an executive. Organizations need email security that can use behavioral baselining to identify irregularities present in a credential phishing attack. These irregularities include:

• Does this email contain unusual requests like a password reset or a VPN login?

• Is the sending domain in the email header accurate? Does the display name match the email address?

• Does this email have a suspicious tone, like time-sensitive urgency?

• Does the link redirect to a suspicious website?