80% of the breaches takes place due to the credential theft or credential bypass via brute-force attacks! Let’s understand how hackers use credential phishing for credential theft.
A hacker earns an average of $15 for each credential in the darknet for selling credentials of popular 200 ecommerce sites! That’s a huge motivation for hackers to steal the credentials and sell them on the dark market. The word credentials implies your user ID, password, and any secret code or questions you need to access your online account. Credentials are just an authentication mechanism to prove that you are a legit account holder. But hackers try to bypass this default validation process and get unauthorized access to an account by stealing your credentials. There are many ways to bypass the authentication mechanism, such as deploying DDoS attacks, accessing credentials directly from databases via SQL injections, using keyloggers and spyware to record the credentials, etc. But one of the easiest and cheapest credential-stealing methods is credential phishing.
In this article, we will discuss what credential phishing is, how it is performed, and five credential phishing prevention tips.
What is Credential Phishing?
In credential phishing attacks, the hackers pose as a person or entity you trust. They play psychological games in a way that you trust them and willingly provide your credentials to them!
Hackers generally make a duplicate website of a famous site, using the same content, color schemes, logo, and styles. They even use similar-looking domains to deceive the victims (known as cybersquatting). For example, Amazonshop.io, walmart43.com, facebookprizes.in, etc. When the victims arrive on a fake site like those mentioned and log in with their credentials, those credentials go into the hackers’ servers and databases. Hackers easily use these credentials to log into the victim’s accounts and do mischief such as
- Transferring money to their bank accounts on your behalf,
- Shopping,
- Sending phishing and spam emails to all your contacts,
- Stealing confidential information stored in your online accounts,
- Asking for a ransom in exchange for access to your own account back, etc.
But how do hackers lead victims to such phishing websites in the first place? Here are some tricks they use for credential phishing.
Email Credential Phishing
These are the basic steps for credential phishing attacks deployed via emails.
- Identify targets. Hackers do a little research to find out which companies, websites, banks, etc., you deal with on a regular basis. They also research the people you are connected to such as your boss, relatives, friends, colleagues, etc.
- Send emails to the targeted people triggering them to take action, usually with a login link. The email could be a customer complaint, a service warning from a web hosting company, a friend sharing an amazing deal, a warning about a fake bank transaction, etc.
- Redirect users to the phishing website via email link. This fake website looks exactly like the original one.
- Get the victims to enter their login credentials on a fake login page. As soon as you try to log in, your credentials get transferred to the hacker’s backend database.
- Log in to the original site using your credentials. Even if they’ve just got credentials for an email address, they can use the “forgot password” feature to get into your website or other critical systems from a single email address.
Check out this example of a phishing email that was sent for the purpose of credential theft…
This is a well-planned phishing email because of following reasons.
- The recipient has a website for which he/she uses SMPT.com.
- The link is pointing to a URL that looks genuine at first glance. The actual URL is https://my.smtp.com.login.new.session.98751.[redacted].de/c4ca4238a0b923820dcc509a6f75849b/43c24690793778113247f7b27f21ba8f/c2f89d887a8c6527c2681d5041204133/ffc5e01f578535fd6f95f889cb31939dA. The URL looks like it’s on SMPT.com—but it’s not. It’s on a .de domain (some other website the hackers took over and are using in their attack).
- The email includes various details (domain name, case ID, agent name, etc.), giving it credibility.
Obviously, when you click on the given link and log in with your SMPT.com account’s credentials, hackers will steal them to log in to your original SMPT.com account.
SMS Credential Phishing
SMS phishing works just like email phishing. The hacker accesses your phone number and does a little research about you. They send you an SMS pretending to be a legit entity with a login link that redirects you to a phishing website.
SMS Credential Phishing Example.
Social Media
Attackers make fake profiles or hack genuine profiles in social media platforms and send private messages on Facebook, Instagram, and Twitter. Hackers send messages pretending to be someone you know or a reputed company. Messages will contain a login page link, and the content would look something like this:
- Sharing some good deals, discounts, coupons,
- Informing you about a new show on Netflix,
- Warning you about account deactivation or unauthorized access, or
- Any interesting thing that lures you into clicking the link.
Check out the following example.
Upon receiving a message like this in your inbox, you may panic, click on the link to inspect the matter and become a credential theft victim when you log in with your credentials.
5 Credential Phishing Prevention Tips
1) Inspect the sender’s email address
This one is the simplest. If someone is claiming to be a representative of a trusted company, they will send the email from the company’s official email address. That means the email ID will have the company’s domain name after @ sign—for example, @macys.com, @amazon.com, @ebay.com, etc. If the email is coming from a generic email address like Gmail, AOL, Hotmail, Yahoo, etc., it’s a sure sign of a scam. If the domain is unknown or doesn’t match the content of the email, that is a red flag, too.
This email is masquerading as a follow-up email from AWS (Amazon Web Services) hosting support. The links look like they point to amazon.com, but you’ll see they actually point to fake login pages on hacked websites if you mouseover the URL. Plus, Amazon’s email won’t come from an email address having @gaadi.com.
2) Go to the official website directly from the browser or app, instead of clicking on the link given in the email or SMS
So, let’s say you get an email that looks like it’s coming from your bank. If you think the email is disingenuous, then don’t click on the link given in the email. Rather go to the bank’s official website or app and log in.
3) Use two-factor authentication
When you enable two-factor authentication, you will get a unique one-time password or pin (OTP) on your registered number or a magic link on your email address. This secret code/link stays valid just for a small timeframe. So, even if the hackers get your credentials, they won’t be able to log in until they provide this unique code or click on the email link.
- For Businesses: You can use plugins like Google Authenticator, Two-Factor Authentication, or WP 2FA for WordPress sites. For non-WP sites, check out this coding guide to implement 2FA: technical requirements for 2FA.
- For Individuals: You can also use Android apps like Google Authenticator, Twilio Authy 2-Factor Authentication, or Microsoft Authenticator to enable 2FA for some important accounts.
4) Use extensions and firewalls to detect phishing websites
There are free extensions (add-ons for Firefox) that you need to install in your web browsers. They will alert you whenever you are visiting a phishing and malware-loaded website.
- Retruster Phishing Protection
- Malwarebytes Browser Guard
- Avira Browser Safety
- Guardio Protection for Chrome
- Bitdefender TrafficLight
- AdBlocker – Adblock Plus
Alternatively, use a strong firewall that blocks phishing and dangerous websites. See the example below. When we tried to visit a phishing site, our firewall blocked it and made it inaccessible.
5) Use caller-ID
Now it’s a basic suggestion, but people still miss this one. Apps like TrueCaller, Showcaller, Hiya, Call control, etc., will help you identify a phishing call and SMS. If the SMS is coming from a personal number and you are not sure whether the person is a legit employee of the company they are claiming to be, don’t feel hesitant to call the company’s official customer care to confirm the validity of the call/SMS.
Wrapping up Credential Phishing Attacks
It’s very easy these days to buy a domain name and make a website. It doesn’t need a lot of programming knowledge to make a login page with the same colors, fonts, and logo of a popular site. People are still not vigilant enough to check the website’s URL properly before putting in their credentials. Hackers know this fact and use various means like phishing emails, SMS, and social media messages to redirect users to their fake websites. They try to generate panic, curiosity, anger, or any other type of emotional response to trick you into clicking on the link and enter your credentials. So, whenever you receive a message like the ones shown in the examples above, be careful and check the message’s authenticity before clicking on the link and logging in with your credentials.
Stop hackers from hacking your website!
Get DigiCert Secure Site Pro OV SSL that includes a vulnerability scanner, malware detector, PCI scanners, website backup, multi-domain security, and many more advanced security tools.DigiCert Secure Site Pro SSL