Republic of the Philippines
National Police Commission
PHILIPPINE NATIONAL POLICE
Camp BGen Rafael T Crame, Quezon City
ACG-CYBER SECURITY BULLETIN NR 186: Understanding Online Credential Theft Technique
Reference Number ACG-CSB 042120186
The following information was obtained from different cyber security sources for notification to all parties concerned pursuant to the mandate of the Philippine National Police Anti-Cybercrime Group (PNP ACG) and classified as “Restricted” pursuant to the PNP Regulation 200-012 on Document Security and Impact Rating as high based on PNP Information Communication Technology (ICT) Security Manual s.2010-01 p. 22 and p.129.
Cybercriminals have become extremely sophisticated and specific when targeting organizations and their users. They often work to identify the users and their device/s that will provide access to an influx of sensitive and highly confidential data, such as financials.
Different kinds of credentials are used by billions daily to authenticate themselves in their physical and digital lives. From physical keys to tokens and cards, to digital private keys, session cookies, digital certificates, to cryptocurrency wallets, login and password combinations which are all vulnerable to cyber-attack.
Cybercriminals use a variety of methods for stealing credentials, depending on their skill set and resources. One of the easiest ways to collect credentials from their victims is using phishing as an attack vector. This technique is normally accessible to a wide range of criminals and does not require a great deal of resources.
Phishing is a seminal technique used by cybercriminals to steal credentials and Personally Identifiable Information (PII) from its victims. It remains one of the most effective attack vectors, since it is normally used together with social engineering techniques to extract information from its victims. It begins with an e-mail. The sender tries to make the victim follow a link and enter credentials or PII information.
The success of the attack often depends on the level of social engineering and quality of communication. Other phishing attacks may use SMS messages (smishing) or voice calls (vishing), rather than e-mails to extract confidential information from the victim. In recent years we have observed evolution in techniques, including the use of control panels to manage phishing campaigns and to store stolen credentials.
Phishing remains a big problem and a highly successful method used by cybercriminals for credentials theft by luring of individuals into providing sensitive data such as PII, financial details and passwords. Though the attacker profile performing phishing attacks is usually less sophisticated than counterparts utilizing malware or performing major banking fraud, it is still a persistent threat which all organizations should be aware of.
Credential-based attacks open the door for more repeatable attacks, as they allow threat actors to take on the personality of an individual that is authorized to access targeted data, making every attack an insider threat.
Credential-based attack is the process of stealing credentials. Attackers commonly use phishing for credential theft as it is a cheap and extremely efficient tactic. The effectiveness of credential phishing relies on human interaction to deceive employees, unlike malware and exploits, which rely on weaknesses in security defenses.
Corporate credential theft is usually a targeted effort. Attackers scour social media sites such as LinkedIn, searching for specific users whose credentials will grant access to critical data and information. The phishing emails and websites utilized in corporate credential theft are much more sophisticated than those used for consumer credential theft. Attackers put a great deal of effort into making these emails and websites look nearly identical to legitimate corporate applications and communications.
All PNP personnel as well as the public are advised to follow the tips in order to avoid the risk of online credential theft:
• Be wary of unsolicited emails and phone calls;
• Block usage from unlikely or unknown applications and websites;
• Keep operating systems and devices up to date;
• Conduct regular vulnerability assessments;
• Train employees on how to create strong passwords and detect phishing or spear-phishing; and
• Use encryption, endpoint security and traffic monitoring tools.
For additional information, please refer to the following websites:
POINT OF CONTACT