Our site uses cookies to make it work and to help us give you the best possible user experience. By using our site, you agree to our use of cookies. To find out more about cookies and how you can disable them, please read our cookies statement. 

Cookie Settings

You can manage your cookie settings by turning cookies on and off.

Click on the different cookie  headings to find out more about the types of cookies we use on this site and to change your settings. Please be aware that if you choose to turn off  cookies, certain areas of our site may not work and your browsing experience may be impacted.

For further information on how we use cookies, please see our cookies statement. 

Strictly Necessary Cookies


These cookies are essential for the technical operation of and proper functioning of our site  and enable you to register and login, to easily move around our site, and to access secure areas. Without these cookies our site won't function properly.  

These cookies are required

Performance Cookies

Performance cookies allow us to collect aggregated and anonymous data on how our site is used, such as the number of visitors to our site, how you navigate around and the time spent on our site and also to identify any errors in functionality. These cookies also help us to improve the way our site works by ensuring that you can find what you’re looking for easily, to better understand what you are interested in and to measure the effectiveness of the content of our site. 

Marketing Cookies

These cookies allow us to advertise our products to you and allow us to pass this information on to our trusted third parties so that they can advertise our products to you on our behalf. All information these cookies collect is aggregated and therefore anonymous. No personal information is shared to third parties. Any personal information collected while using our website could be used for direct marketing from Dimension Data only.

Credential theft

Stolen credentials a valuable target

Mark Thomas

VP, Cybersecurity ─ Dimension Data

For the past 18 years, Mark has worked in the cybersecurity field establishing pragmatic, business-aligned risk minimisation strategies and developing intelligence-led computer network defences. His broad knowledge and in-depth expertise are a result of working extensively in consulting, technical, and managed services with large enterprises across numerous industry sectors including finance, government, utilities, retail, and education.

Follow on LinkedIn

Credential theft: ‘handing over the keys to your kingdom’

Cybercriminals target data, applications, and cloud infrastructure, making credential asset management a priority

Credential theft isn’t a new concept to most people – but in the context of cybersecurity, it’s become increasingly prevalent over the last few years, as the findings of Dimension Data’s Executive Guide to the NTT Security 2019 Global Threat Intelligence Report indicate.

Credentials are the ‘keys to your kingdom’, protecting your organisation’s networks and data from unauthorised access. This makes stolen credentials a valuable target for threat actors.

Credential theft text

Phishing and malware are cybercriminals’ techniques of choice

Some 67% of all credential theft attacks are associated with phishing, which involves cybercriminals attempting to send recipients to a fake website – one that looks legitimate – via an email. The motive for this is to obtain user name and password combinations.

We’re seeing an increasing number of credential theft attacks targeting cloud platforms, as the graph below illustrates:

Phishing targets graph

Figure 1: Four platform targets comprised almost 97% of all credential theft attacks in 2018

Microsoft Office 365 credential targeting accounted for 45% of all phishing attacks. This suggests that organisations are increasingly migrating to cloud-based platforms, driven by ongoing digital transformation across all industries and the recognition by businesses of the need to become more ‘digitally native’. However, by doing so, they’re exposing themselves to a number of new cyberthreats – credential theft being one.

Moving your systems (including email) beyond your traditional corporate boundaries means that the existing controls you have in place may no longer be sufficient. This potentially exposes your confidential information ─ from valuable business intelligence (intellectual property), to highly regulated data such as personally identifiable information, protected healthcare information, payment card information, and other sensitive data ─ to the risk of theft. So, all it takes is for someone to access those credentials and log in through the organisation’s ‘front door’. Attackers don’t need to look for vulnerabilities in websites or applications. If they successfully target individuals and steal their credentials, they can simply log onto the applications and gain entry into the organisation as a whole, to syphon off data and conduct other nefarious activities.

As the title of this article suggests, this is how organisations unwittingly ‘hand over the keys to their kingdoms’ (i.e. their data, applications, intellectual property, and access to their cloud infrastructure) to cybercriminals.

We believe that organisations need to be concerned about the growth of Microsoft Office 365 and the alarming increase in credential-based attacks.

More about malware and malspam attacks

While credential theft attempts via phishing accounted for double the number of those involving malware (33%), the latter shouldn’t be overlooked.

Malspam is an evolution of traditional malware, which now often incorporates capabilities designed to steal credentials. And that involves more than just installing keyloggers, which monitor the information that a user enters into a system. Today, malspam attacks are specifically targeting the credentials that users enter into online applications, such as Internet banking platforms and other password-protected sites.

Today, malspam attacks are specifically targeting the credentials that users enter into online applications, such as Internet banking platforms and other password-protected sites. Read more @Dimensiondata. Tweet this

Which sectors are most at risk of credential theft?

NTT Security’s research conducted during 2018 shows that:

  • The technology sector was most heavily impacted by phishing credential theft (36%).
  • The top five impacted sectors accounted for 83% of phishing credential theft.
  • The retail (36%) and telecommunications (28%) sectors were most heavily impacted by credential theft malware, and therefore should consider investing in more malware protection.
  • The top five impacted sectors accounted for 91% of credential theft malware.

Graph showing credential theft phishing impact

Figure 2: Sectors most targeted for credential theft phishing attacks

Graph showing credential theft malware impact

Figure 3: Sectors most targeted for credential theft malware attacks

Access, influence, and profit: an attractive trio of motives for credential theft attacks

Cybercriminals’ motives to launch credential theft attacks are generally threefold: 

Access: The use of stolen credentials to gain access to resources and the underlying data; this may involve both short-term and persistent access.

Influence: This involves manipulating a person, or the impression of a person, brand, or product. It may include activities related to reputational damage, blackmail, and extortion.

Profit: Attackers use stolen credentials for fraudulent activities including:

  • illegal financial transactions
  • bartering with other cybercriminals (i.e. selling stolen credentials to the highest bidder)
  • identity theft for financial gain

Often, cybercriminals invoke a ‘pay-per-use’ model: those who’ve stolen credentials will charge other threat actors according to the volume of data they choose to access, over a specific period.

Attack patterns and methodologies

Cybercriminals are constantly refining their credential theft toolsets and tactics, and types of cyberattacks – both technical and non-technical.

Credential theft text

What do we know about the frequency and duration of credential threat attacks? This generally depends on the attacker’s motive.

Some are quick: ‘Let’s infiltrate the organisation’s systems, steal the credentials we want, and get out fast’. Others are more prolonged where the attacker keeps a low profile, and steals and uses credentials in a limited way, to avoid detection and establish a longer-term foothold within the business.

As defenders against cybercrime, we need visibility of these activities to detect various kinds of attacks, regardless of the threat actor behind them.

If an organisation is only willing and/or able to invest a small percentage of their IT spend in combatting credential theft, they’ll likely only be able to prevent or detect issues such as hacktivist activity by some of the more minor cybercriminal groups. Larger and/or more high-profile organisations tend to increase the amount that they spend to guard against more calculating threat actors (e.g. nation-state groups).

Ultimately, an organisation’s current and desired cybermaturity profile regarding credential theft will depend on a variety of factors. These include the risk profile of the business, including compliance regulations relating to them, location, culture, competitors, and how much they’re prepared or able to invest in bolstering their cybersecurity defences.

Ultimately, an organisation’s current and desired cybermaturity profile regarding credential theft will depend on a variety of factors. Read more @Dimensiondata. Tweet this

What’s the business impact of a successful wave of credential theft attacks?

Stolen credentials can have a severe, immediate impact on organisations. This often includes:

  • loss of confidentiality, integrity, or availability of sensitive data related to the theft of proprietary information
  • disruption of regular business operations
  • financial losses (including the unplanned cost of forensic investigations, clean-up operations, and legal counsel)
  • harm to an organisation’s reputation and consumer and employee brand trust, which is difficult, if not impossible, to recover

Longer-term impact may also include C-level executives being forced to resign, devaluation of stock prices, stalling of planned mergers and acquisitions, loss of intellectual property, and compliance penalties.

Credential guards: how to get on the front-foot

  1. Implement multi-factor authentication on all accounts and systems.
  2. Segment your network environment.
  3. Enforce ‘least privilege’ access and segregation of duties.
  4. Implement network activity monitoring and data loss prevention initiatives.
  5. Educate employees about being vigilant regarding phishing attacks and ensure that everyone understands that security is their responsibility.
  6. Eliminate passwords as far as possible, and if one is used, make sure it’s not re-used elsewhere across multiple sites.
  7. Implement processes that cover incident response handling.

Recommended for you

How can we help you

Two people sitting in a meeting

Cybersecurity Advisory

Get the insights and action you need to improve your security posture

Read more
A person standing on a cliff with a starry sky

Managed Security Services

Management and optimisation of your security infrastructure to shield and protect your data and applications no matter where they reside.

Read more

Get the Executive Guide to the NTT Security 2019 Global Threat Intelligence Report


By clicking submit below, you are agreeing to the Dimension Data Terms and Conditions and Privacy Policy