Credential theft spikes by triple digits in US

By October 31, 2018 No Comments

October 11, 2018 - Tara Seals - Threat Post


Credential theft was up in the United States during the third quarter - even declines were charted in Europe and Asia.

Periodic analysis from Blueliv shows a whopping 141 percent increase in compromised credentials from North American targets between June and August compared to March through May period. In contrast, there were fewer compromised European and Asian credentials detected over the same period (22 percent and 36 percent decreases respectively).

“These trends in cybercriminal success rates suggest that there have been some profitable campaigns in the North American region over the summer quarter,” Blueliv analysts said, in a posting this week.

“Blueliv observations suggest that a sizeable botnet was taken down in Europe, while a campaign focusing on different countries in Asia was thriving,” the firm said. However, despite an overall decrease in the European and Asian regions over the three months, the numbers when looked at on a month-to-month basis show some interesting regional-specific trends. For instance, there was a steep drop in geolocated credentials detected from Europe and Russia (33 percent decrease), against a huge rise in Asia during the same period (77 percent increase).


Malware Trends

When it comes to the tools that cybercriminals are using to harvest personal details from their victims, Blueliv pointed out in its report that cybercriminals use a variety of methods for stealing credentials, depending on their skill set and resources. One of the easiest ways to collect credentials from their victims is using phishing as an attack vector - it requires little skill to craft social-engineering email, and templates are available for creating phishing sites.

“Nowadays, malware infections are the main 'tool' used to steal credentials, in terms of efficiency, volume and timeliness,” Blueliv said. “Obviously, success depends on the type of malware used and its targets, but it is possible to buy cheap kits or use source code leaks in order to achieve the objective.” Malware on the other hand is more efficient given that most people have reams of credentials stored on their computers. However, using it often requires greater knowledge and resources than a phishing campaign would.

Pony is the most popular malware used to steal credentials; it's capable of credential theft across a large list of email, instant messenger and FTP applications, and also VPN and SSH software. It also has the ability to perform brute-force attacks against user accounts and uses reverse engineering techniques to decrypt passwords stored in encrypted format. Blueliv noted that Pony botnet steals on average 8,000 credentials, but depending on the binary distribution it could steal up to millions of passwords.

 Interestingly, Blueliv's latest analysis shows that the LokiPWS (aka Lokibot) malware family distribution is growing faster than the Pony stealer.

 Back in May, Pony and LokiPWS were consistently among the most active malware, with Pony ahead of the others by several lengths. Still, at the time, LokiPWS malware distribution had increased by more than 300 percent over the previous 12 months. Now, LokiPWS samples have almost doubled again, with a 91 percent increase quarter-over-quarter - and it's closing the gap with Pony.

 LokiPWS, which is a hybrid mobile malware with characteristics of a trojan banking as well as an info-stealer, is for sale between $200 and $300 on the Dark Web. It's a nasty piece of work: Aside from the well-known overlay attack all bankers have, it can steal the victim's contacts, read and send SMS messages, exfiltrate browser histories, launch mobile banking applications, and even render the phone unusable by preventing the user from accessing it.

 “Source-code leaks of different versions of LokiPWS in recent years have probably influenced its increase in usage as a credential-stealer, but this does not mean that we should discount the likes of Pony, Emotet, KeyBase and AZORultwhich continue to be disturbingly effective around the world, ”Blueliv noted.



THE [SAFEWAY] is a widely recognized company as a provider of premium information security and cybersecurity solutions. From its extensive portfolio, we highlight several solutions, including those based on platforms:

  •  Archer da RSA Security, considered by the institutes Gartner and Forrester and by the market itself, the most complete process integration solution for Governance, Risk Management, Compliance and Business Continuity Management;
  • [SAFEWAY]Security Tower, supported by IBM Qradar (Watson technology), tailored to each organization in its security and cyber defense management needs.
  •  And others, involving technologies ImpervaThalesBeyondTrustManlyWatchGuard Technologies

Leave a Reply