How to Identify & Eliminate Credential Harvesting Threats


Cybercriminals today have moved on from obsolete hacking techniques. Techniques that are no longer effective against the sophisticated cybersecurity nets deployed by the world’s biggest corporations. Instead, they’ve found a new element to compromise – the end-user. Using sophisticated social engineering and phishing tactics, cyber attackers gain access to sensitive data by compromising end users’ identities and credentials. According to the Verizon 2017 Data Breach Investigation Report, 81% of data breaches leveraged stolen or weak credentials. These credentials further open up access to systems, networks, and databases, basically opening up the entire vault for malicious extraction.

Add to it the pandemic-induced remote work phenomenon, and you can see credential harvesting becoming the top attack vector. In fact, the 2020 US Government threat report found that 71.5% of all phishing attacks on federal employees were related to credential harvesting. With nearly 72% of those employees agreeing to have clicked on malicious links contained in phishing emails, it becomes clearer why attackers are choosing to focus on credential harvesting to gain necessary leverage.

The growing risk of employees and customers falling prey to a credential harvesting campaign is further legitimized by the recent spate of breaches. A recent Reddit breach stemmed from credential harvesting, and so did the attack on UnityPoint Health, Iowa. The UK’s National Cyber Security Center also sent out an alert to all industries informing them of a phishing campaign built on stolen credentials harvested via cloned login pages.

Credential harvesting is often the first step as part of a larger, coordinated attack. It is used to gain initial access to the systems before the next phase of the attack is introduced. By understanding how credential harvesting works and how it can be contained, SOC teams can gain an upper hand in their fight against cybercriminals.

What is credential harvesting?

Also known as password harvesting, credential harvesting is a process cybercriminals use to steal legitimate usernames, passwords, private emails, and email addresses through data breaches. Not to be confused with phishing, credential harvesting uses a wide variety of Tactics, Techniques, and Procedures (TTP) to gain illegitimate access to valid credentials.

The stolen login data can then either be sold to the highest bidders on the dark web or be used to move laterally within systems with increasing privilege to steal even more sensitive data. Another avenue that many cyber criminals are opting for is using the data as leverage to demand ransoms. Many ingenious attackers have also successfully tried to embezzle money with the stolen credentials. While there are many different motivators for this crime, including corporate espionage, the point is to prevent this attack from happening in the first place.

What are the most common TTP for credential harvesting?


This is the classic way to steal login data. Phishing emails are usually cloaked and disguised to mimic actual login pages. By embedding the malicious links in Word or PDF documents, attackers can bypass most firewalls and email protection systems. The links further take the user to compromised websites that also look familiar. Unsuspecting users type in their username and password only to be redirected to another page. Most users don’t even realize that their credentials have been stolen.

Phishing emails use comprehensive social engineering tactics to dupe users. They can even impersonate actual company employees to add another layer of legitimacy.

An email with a slightly different company domain name

Learn more about this specific type of phishing scam in our blog on Business Email Compromise.


MitM attacks rely on public WiFi networks to get the work done. Criminals set up compromised routers that masquerade as legitimate businesses or public WiFi spots to attract users. Users who connect to the WiFi network give up complete access to the cybercriminal to track and record all their online activity.

Password dumping tools

MimiKatz is a password dumping tool that can automatically extract passwords and hashes from the memories of infected systems. Even one compromised system can give attackers enough opportunity to move laterally within the system until they hit their goal. Malware like WannaMine has been known to use these tools to mine passwords.

How can SOC teams identify these threats?

Most large organizations today have a dedicated Security Operations Center (SOC) to identify, mitigate, and contain cyber threats. Essentially a team of cybersecurity experts from various domains, this team is solely responsible for the security of the organization’s systems, networks, and data.

Credential phishing is one of the biggest threats facing modern multinational corporations. SOC teams can spot and block these attacks well in time if they have access to threat intelligence. In this case, the kind of information that can be helpful can have a wide range. Everything from the type of access being sold by Initial Access Brokers (IABs) on the dark web to the vulnerabilities being exploited by hackers during attacks on other companies can give SOC teams an edge.

Another data point that security experts need to focus on is new domain registrations that might be typosquatting. Unlike before, it’s much easier to buy believable typosquat domains now due to the explosion in the number of Top-level domains (TLDs).

Unfortunately, it doesn’t end here. Copycat applications in app stores, fraudulent listings on online marketplaces, and impersonation on social media have made collecting threat intelligence a daunting task.

The rapidly expanding internet attack surface, the evolution of sophisticated threat programs, and the growing complexity of data environments have made this team’s job harder than it ever was before. Add to it the global talent shortage in cybersecurity that touched 2.7 million by the end of 2021. Seriously understaffed SOC teams are forced to spread themselves thin, drowning in data recovered from a vast attack terrain. Theoretically speaking, SOC teams could prevent most attacks from happening in the first place – if they could be more productive, efficient, and effective. But, as intelligent and hard-working as they may be, they can only sift through a certain amount of data in a fixed period of time.

Overrun with data, they can often end up wasting time on irrelevant data points leaving little time to work on what’s important. Their human capacity to identify anomalies and patterns in troves of repetitive data is also severely limited. Relying entirely on them, expecting them to overwork themselves without letting any errors slip through, isn’t the right approach in today’s attack-prone world.

This is where AI and automation come in.

How do AI and automation make SOC teams more effective at eliminating threats?

The volume and complexity of the data being brought in are best suited for machines. Powered by artificial intelligence and machine learning models, intelligent machines can complement the security team, giving them much-needed freedom and flexibility to focus on more critical tasks. Feeding on the mounds of available data, intelligent machines can sort out relevant data points, identify patterns, and provide actionable intelligence.

Bolster’s AI-based domain monitoring is an empowering solution that fits in perfectly with companies looking to strengthen their SOC teams while reducing human dependency.

Bolster uses multiple data sources, both proprietary and public, including intelligence feeds and domain registries, to identify suspicious domains. What makes Bolster unique is its use of phishing honeypots and a headless browser. Instead of focusing only on newly registered domains, the honeypot helps catch phishing emails that otherwise might have slipped detection.

All the data is then processed in Bolster’s AI and ML engine using NLP, image recognition, and clustering to identify suspicious domains. All of this data is represented in a neat dashboard with an easy-to-use UI, giving security professionals unmatched visibility across a spectrum of possible threats. By identifying and eliminating potential risks, before they even turn into full-scale security events, Bolster’s AI-based engine ensures that credential harvest attacks and phishing attacks are kept at bay.

If you want to learn more about how Bolster’s domain monitoring can empower your SOC team with AI and automation, contact us today.