Credential Phishing

One of the most common types of email-based cyber attacks, credential phishing emails are designed to appear as legitimate communication regarding an existing online account. A credential phishing email message generally contains a link to a malicious website designed to resemble a legitimate login page, soliciting a victim to submit in their  credentials, usually under the pretext or account authentication or identity validation. Once a victim submits their credentials into the phishing page, they are sent to the attacker, effectively compromising their account.

‍

Many phishing websites are difficult to distinguish from their legitimate counterparts, with only a few subtle differences from the original. The process for making one of these websites can include cloning the real website, adjusting the login page to point to a credential-stealing script, and bundling the files together in a zipped file known as a “phishing kit”. A phishing kit is essentially a collection of files needed to stand up a fully-functioning phishing site. Once a phishing kit is uploaded to the attacker’s designated phishing website, it is unzipped and the phishing site is effectively live. Now the only thing left for the attacker to do is to send out emails impersonating the target containing links to their phishing website and wait for the credentials to roll in.

‍

Prior to 2017, most credential phishing attacks targeted individual credentials at financial institutions; however, as other cyber attacks shifted focus from individual to enterprise targets, so did credential phishing. Enterprise credentials can be used for a wide variety of purposes, which makes them much more valuable to cybercriminals. For example, employee credentials can be used to collect payment-related communications as part of the initial stage of a business email compromise (BEC) attack. Or used to pivot to other cloud applications and steal sensitive documents. Or used as a platform to send additional phishing campaigns from legitimate infrastructure. This flexibility is why enterprise credentials are often a golden ticket for cybercriminals and why credential phishing attacks represent a significant risk to all organizations.