Credential harvesting is the immediate goal of most cybercrime in which attackers seek users’ login information. The strategy is to build a large enough cache of credentials so that they can sell them or exert pressure on the individuals or companies impacted by their loss.
Let’s dive into credential harvesting in more depth, walk through some of the context and implications surrounding it, and provide some solutions for mitigating its harmful impacts.
What is credential harvesting?
Credential harvesting refers to collecting user credentials en masse, by whatever means necessary, to drive other cybercrime activity. Often, when individual threat actors or organizations set out to defraud users of their credentials, they are not targeting a single individual’s credentials. Instead, they aim to gather—or harvest—as many as possible.
Simply put, credential harvesting is precisely what it sounds like: a high-quantity illicit collection of credentials.
The goal of credential harvesting points to the practical impacts it can have on a business. Namely, cybercriminals aim to collect credentials in great volumes because there’s a market for them on the dark web.
Individual user credentials fetch specific per-unit rates, per a PC Mag report. The highest prices are reserved for LinkedIn logins ($45 each in 2022), but the real value comes from selling huge batches of credentials.
Credential harvesting on the rise
One of the most concerning things about credential harvesting is its prevalence. An AT&T cybersecurity briefing on the threat vector reports that over 24 billion credentials have been amassed on the dark web as cybercriminals seek to sell them in bulk to other attackers.
Once credentials have been stolen or otherwise acquired, they can be used for:
Lateral movement and escalation of privilege
Other forms of broken authentication
That’s why most phishing attacks each year are dedicated to credential harvesting (71.5% in 2020, per AT&T).
Additionally, credential harvesting has an outsized impact on certain industries. Per one study, credential harvesting was the biggest threat to the retail industry in 2022. It comprised 63% of reported cyber threat indicators within the sector, while the second-highest share (suspicious domains) came in at 16%.
Not surprisingly, credential harvesting was also the threat that survey participants were most concerned about moving into the future.
Common techniques used for credential harvesting
Credential harvesting is not in itself a method of attack but an underlying purpose. Attackers can use many different methods to achieve that goal.
Anything attackers do to guess, crack, or steal credentials can lead to harvesting, but the most common threats are:
Phishing and social engineering: These fraudulent emails trick victims into providing their credentials or engaging with a link / attachment that steals them. In a 2022 phishing campaign targeting financial firms in the real estate sector, thousands of Microsoft 365 credentials were harvested on dark web servers.
Keystroke logging (keylogging): These are programs that attackers place on victims’ computers to track every keyboard input. Then, they analyze the results to reveal credentials.
Man-in-the-middle (MITM): These are complex schemes in which attackers intercept or manipulate communication between two parties and decrypt it without being noticed.
To mitigate the impact of these attacks, it’s critical to be cognizant of negative online behaviors like password sharing and password recycling. It’s also important to set up defenses against the gaps these attacks exploit, as well as deploy technologies for responding to incidents in real-time.
Consequences of credential harvesting
The most immediate impact of credential harvesting is compromised account security.
On the individual level, all impacted employees or end users could have their sensitive information leaked and face consequences in their professional and personal lives.
At the company level, sensitive data may be leaked or held ransom by attackers.
There are also potential legal and compliance consequences to these attacks. If the leaked or compromised data is subject to industry or governmental regulations, then the organization could lose its certification or face monetary and other noncompliance penalties.
An additional burden that comes due to harvested credentials is reputational damage. Current and potential clients, both individual consumers and businesses, may be wary of trusting a firm targeted by credential harvesting. The same goes for potential and current employees, who may be harder to recruit and retain.
How to prevent and mitigate the threat of credential harvesting
Given the potential impacts of credential harvesting on personnel, clientele, and other stakeholders, it’s imperative to take active steps toward preventing and mitigating the threat. This means taking steps that:
Make cybercriminals less likely to attempt an attack
Ensure attacks are less likely to cause harm if they’re successful
The first line of defense comes from standard cyberdefense practices, including:
User awareness, established through training, to make falling for phishing less likely.
Encryption across all credentials so that even stolen assets are unintelligible to attackers.
Regular security updates and patch management, minimizing exploitable vulnerabilities.
Monitoring infrastructure to identify threat indicators and potentially fraudulent logins.
Incident response protocols to detect and respond to an attack as swiftly as possible.
However, some of the best and most efficient protections against credential harvesting happen at the point of authentication itself. Secure login makes these attacks less frequent and impactful.
Phishing-resistant multi-factor authentication
Multi-factor authentication (MFA) is an improvement on baseline single-factor systems such as traditional password-based authentication. Rather than requiring a single set of stealable or guessable assets, such as a username and password, MFA requires at least one additional factor.
The best MFA systems require a possession factor or inherence factor—something the individual owns, such as a device, or something the user is, such as a biometric scan of their iris, face, fingerprint, etc.
MFA makes it harder for cybercriminals to use stolen or defrauded credentials to access user accounts and sensitive data. With MFA, a harvested password is not enough to break auth.
While some MFA deployments remain vulnerable to social engineering, phishing-resistant MFA deployments leverage advanced techniques like behavioral analysis, biometric authentication, and risk-based auth to monitor for and address fraudulent account access. It accounts for vulnerabilities baked into more simple, traditional MFA and is better suited to defend against credential harvesting – while also giving legitimate users a more seamless experience.
Passwordless authentication methods
Finally, organizations worried about credential theft and harvesting can also look to take (most) credentials off the table altogether. Passwordless authentication systems utilize other methods to validate users’ identities, beyond usernames and passwords, so there’s nothing to harvest.
Some of the most common and effective passwordless auth methods include:
Biometric auth, used on its own rather than along with a knowledge factor in MFA
One-time passwords (OTP) or codes sent to users’ devices to enable a login session
Timed-based one-time passwords (TOTP), or codes that expire within a short window
Magic links or URLs embedded with access tokens sent securely to users’ devices
Social logins that let users sign in to apps using pre-existing trust with another identity provider
Going passwordless renders credential harvesting moot, while also providing people with a much more user-friendly experience sans the need to create, remember, and manage an endless number of passwords.
Safeguard against credential harvesting with Descope
It’s clear that credential harvesting – and credential-based attacks in general – are one of the main priorities for organizations to guard against in the years ahead. Descope helps organizations either completely eliminate credential harvesting, or greatly raise the bar for cybercriminals and make it much tougher for them to exploit credentials.
For organizations committed to going passwordless, Descope’s no / low code CIAM platform makes it easy to add a variety of passwordless authentication methods to their apps using drag-and-drop workflows. For organizations deciding to stick with passwords, Descope simplifies the addition of password-based authentication to their apps along with breached password detection through Have I Been Pwned.
Sign up for a Free Forever account to get started with Descope, or schedule a consultation with our authentication experts to learn more.