When we hear about compromised credentials, there’s always the question of “How are they used post-compromise?” In one case, they are fully on display for sale to the highest bidder.
I’ve written about infostealer malware before; malware designed to steal in-browser credentials, session cookies, and more in an attempt to capture everything needed to gain access to websites, applications, data, and even money. But once it’s stolen, no one has a clear idea of exactly how a specific credential is misused.
A new article over at Krebs on Security highlights a few dark web markets that offer up credentials, authentication cookies and even custom web browsers with the stolen artifacts built-in making the act of accessing an application or system turnkey without the need for entering in credentials or having to address multi-factor authentication requirements.
One such marketplace is Genesis Market, who (according to Krebs) “gets its inventory of botted computers and stolen logins from resellers who specialize in deploying infostealer malware via email and booby-trapped websites.”
This is scary stuff. Access is the crux of any attack and being able to purchase not just username and password combinations – but post-MFA authentication, means it’s easy for literally anyone to gain access to your network as long as there’s access for it for sale over at Genesis.
The data stolen that provides access is typically acquired by means of phishing attacks bent on compromising an endpoint where infostealers can be installed, or by tricking users into giving up credentials to an impersonated cloud platform logon page.
In either case, teaching users via Security Awareness Training to be mindful of phishing attacks that involve malicious links and/or attachments is the key to keeping your users’ access from showing up on one of these markets.