Today’s common approach toward credential theft involves a targeted campaign aimed at stealing credentials from specific users, and subsequently abuse those credentials to obtain a footprint inside the organization. With the appearance of a valid user, the attacker can conduct lateral movement to gain greater levels of access.
While there are many ways an attacker can obtain a user’s credentials, credential phishing is the method of choice for a targeted attack. With credential phishing, the attacker will build a site that appears to be legitimate, or reuse a legitimate site’s content, along with a look-alike domain name. The attacker baits the user to visit the site by sending an email or social media message that appears to be from a person or organization that the victim knows and trusts. The sites mimic applications that an employee expects to interact it, such as a clone of the victim’s webmail front end or the company’s employee authentication page. After harvesting stolen credentials, the attacker can use those credentials to impersonate a user or use the credentials from within the organization from a compromised endpoint.