The Game of Credential Abuse

The year 2020 is on its way to making a name in history books, owing to the constantly evolving threat landscape. This year is witnessing an unprecedented level of credential abuse attacks.

The scoop

Gamer credentials have become a lucrative target for cybercriminals. Credential theft targeting online games has reached an all-time high, tying with illicit markets, scams, and account takeovers. According to a recent Akamai study, accounts of 55% online gamers have been compromised at some point.

What does this imply?

Stolen credentials can be abused by criminals to execute several crimes. The most common crime committed is by logging in to a game account and stealing the victim’s profile information, virtual merch and currency, and financial data. Moreover, the gaming industry is a juicy target since gamers are engaged and active in social communities, with disposable income. 

Other credential theft instances

  • Emotet malware has seen a sudden spike in Japan, New Zealand, and France. It is specially crafted to steal login credentials from email clients, browsers, and applications.
  • A phishing campaign has been uncovered that leverages overlay screens and email quarantine policies to steal Microsoft Outlook credentials. 
  • In August, researchers warned about a phishing scam targeting Instagram users via the direct messages feature on the app, with the aim to steal their Instagram and email credentials. 

Why it matters

  • Credential abuse campaigns can lead to dire consequences for enterprises, as it is likely that employees will be affected. Corporate credentials can be exploited by adversaries to gain access to sensitive work-related documents.
  • With attackers impersonating legitimate users and the complexity associated with identifying credential-based attacks results in an environment destitute of control.

The bottom line

It is high time that organizations take steps to reduce credential-stuffing threats by investing in industry best practices by securiing user accounts with additional layers of defense and educating their employees about password hygiene to prevent accidental leaks.