DataDome

What is Credential Harvesting? Examples & Prevention Methods

Table of contents
Credential stuffing
Kira Lempereur, Sr. Technical Writer
19 Mar, 2024
|
min

Credential harvesting is a serious threat to your organization’s online security and privacy. It can lead to identity theft, financial fraud, account takeover fraud, and unauthorized access to confidential information for both your employees and your users. In this article, we will explain what credential harvesting is, how you can identify it, and how you can prevent it from happening.

What is credential harvesting?

Credential harvesting, also known as password harvesting or username harvesting, is a cyberattack technique that involves stealing personal or financial data from users. This data can include usernames, passwords, credit card data, user IDs, and email addresses.

Cybercriminals have various ways of obtaining such sensitive information, like bot fraud, phishing emails, fake websites, social engineering techniques that exploit human vulnerabilities, and many more. Once the cybercriminals have obtained these stolen credentials, they will use them to gain unauthorized access to personal accounts or corporate networks. Credential harvesting then becomes the gateway to many different types of online fraud. It should be taken seriously by organizations of all sizes in every industry.

How does credential harvesting work?

Understanding how credential harvesting attacks work is crucial in safeguarding your personal and business data. Here are the various techniques cybercriminals use to execute their attacks against both individuals and organizations.

Common Techniques Used in Credential Harvesting Attacks

  • Phishing Emails: Cybercriminals send seemingly legitimate emails impersonating trusted entities, typically with urgent requests or enticing offers that prompt recipients to click on links. These links lead to fake login pages that harvest a recipient’s confidential information.
  • Fake Websites: Cybercriminals build fake websites that closely resemble legitimate login portals. Through methods like domain spoofing or typosquatting, they trick users into entering their credentials on these deceptive sites, which often mimic the design and branding of well-known, legitimate services.
  • Malware: Malware like keyloggers or password stealers can silently capture a user’s login credentials if their device has been infected. This method allows cybercriminals to collect credentials without ever directly interacting with users.
  • Social Engineering: Cybercriminals exploit human psychology to manipulate individuals into giving away sensitive information. They leverage trust, urgency, or fear to trick users into providing their credentials. This can be done through various communication channels, including phone calls, text messages, or social media platforms.

Examples of Credential Harvesting Attacks

A common credential harvesting technique is called smishing—using SMS phishing messages to trick users into clicking malicious links. This is what happened to unsuspecting Canadian UPS customers in June 2023. They began receiving SMS messages that appeared to come from UPS, asking for payment before a package could be delivered. The cybercriminals had managed to use UPS’s package lookup tools to access delivery details, including personal contact information. UPS had to issue a public statement and work with law enforcement and third-party experts to put a stop to the scheme.

In another example, Reddit employees were targeted by a sophisticated phishing campaign in February 2023. As a result, the cybercriminals gained access to code as well as internal documents and business systems, which they threatened to leak if Reddit didn’t send them $4.5 million. The cybercriminals claim they have about 80 zipped gigabytes worth of data that reveals how Reddit tracks and, in some cases, censors its users, putting Reddit under serious public scrutiny.

How to Identify Credential Harvesting Attempts

Although there are many ways cybercriminals can gain unauthorized access to sensitive information, there are some signs of a credential harvesting attack that you should always be on the lookout for:

  • Unusually high account lockouts: If multiple employees or users experience frequent account lockouts or password reset requests, attackers could be trying to gain unauthorized access to their accounts.
  • Increased number of phishing emails: A sudden surge in phishing emails targeting employees, users, or partners of your organization can be a sign that cybercriminals are trying to harvest credentials. Look out for suspicious emails, such as requests for login credentials or account verification.
  • Unfamiliar IP addresses or login locations: Monitor your organization’s security systems for login attempts from unfamiliar IP addresses or geographic locations that could suggest attackers are trying to access accounts with stolen credentials.
  • Suspicious network traffic: Monitor your network traffic for unusual or unauthorized attempts to access internal systems, servers, or databases. Look for patterns of brute force login attempts or abnormal data transfers that could indicate a credential harvesting attack.
  • Unusual account activities: Keep an eye out for any abnormal activities in employee or user accounts, such as unauthorized transactions, changes to account settings, or access to sensitive information. These activities could be a result of successful credential harvesting.
  • Social engineering attempts: Pay attention to reports of employees receiving phone calls, messages, or visits from individuals claiming to be from IT or other trusted entities. Attackers may use social engineering tactics to trick employees into divulging their credentials.

Remember, the presence of a single sign usually doesn’t confirm a credential harvesting attack. However, if you notice multiple indicators or a pattern of suspicious activities, it’s crucial to investigate further, take appropriate action, and engage with cybersecurity professionals to mitigate the risk.

The Business Impact of Credential Harvesting Attacks

Credential harvesting attacks pose significant threats to businesses across various industries, although it’s especially common and dangerous in the financial services industry. These attacks can have devastating consequences for a business, from financial losses to reputational damage to regulatory penalties.

Prevalence Across Industries

Credential harvesting attacks target organizations of all sizes and industries. However, the financial services industry is a particularly popular target, because of the high value of financial data and the potential for monetary gain. Banks, insurance companies, and investment companies are under constant threat from sophisticated credential harvesting campaigns aimed at accessing the sensitive financial information of its customers.

Financial Losses

When cybercriminals gain unauthorized access to financial accounts, they can siphon funds away or make fraudulent transactions. The direct financial impact of these actions can be substantial. There are the losses from the stolen funds or fraudulent activities, but also the costs associated with investigating and remedying the breach.

Reputational Damage

Customers trust businesses to safeguard their sensitive information. A data breach resulting from a successful credential harvesting attack breaches that trust and will always inflict severe reputational damage on the affected business. The negative publicity, loss of customers, and damage to brand reputation can have long-lasting consequences for businesses that impact their competitiveness and market standing.

Regulatory Penalties

As if financial losses and reputational damage weren’t enough, almost all businesses are under strict regulatory frameworks to protect the data and privacy of their customers. A successful credential harvesting attack is a failure to comply with these frameworks and will result in substantial fines, legal fees, and compliance costs.

Methods for Preventing Credential Harvesting Attacks

By understanding a cybercriminal’s methods and techniques, individuals and organizations can effectively defend themselves against credential harvesting attacks and protect their sensitive information from unauthorized access and exploitation.

Security Awareness Training

Educating users about the dangers of credential harvesting and how to identify phishing attempts is critically important. Regular security awareness training programs can help individuals recognize suspicious emails, websites, and communications, so they can avoid falling into these traps and take appropriate action to protect their credentials.

Multi-Factor Authentication (MFA)

MFA adds an extra layer of security beyond the usual username and password. By asking users to provide additional verification factors, such as a one-time code sent to their mobile device, MFA reduces and often eliminates the risk of unauthorized access to someone’s account, even if their login credentials have been compromised.

Secure Password Practices

Encouraging users to create strong, unique passwords for each online account is crucial in preventing credential harvesting attacks. Password managers assist in generating and securely storing complex passwords and significantly reduce the likelihood of password reuse across multiple platforms.

Email Filtering and Antivirus Software

Powerful email filtering and antivirus software can help flag and block malicious emails and files associated with credential harvesting attempts, from malware to email spam.

Continuous Monitoring with Fraud Detection Software

Fraud prevention software like DataDome monitors the traffic and user behavior on your websites, mobile apps, and API to detect and prevent potential credential harvesting activities in real-time. Such software often stops other fraud attacks too, as cybercriminals rely on automated techniques for many different types of digital fraud.

Emerging Technologies & Countermeasures

Newer technologies, like artificial intelligence (AI) and machine learning (ML), can analyze patterns and behaviors to identify potential credential harvesting attacks. These technologies can detect anomalies in user behavior, network traffic, and email communications, helping identify suspicious activities and mitigate risks.

The same goes for biometric authentication methods, such as fingerprint or facial recognition, which add an extra layer of security beyond credentials and even MFA. Biometric data is unique to each individual, making it difficult for attackers to replicate or steal.

Similarly, behavioral biometric technologies analyze unique patterns in user behavior, such as typing speed, mouse movement, or navigation habits, to continuously authenticate users. Any deviations from the established behavior patterns can trigger alerts and prevent unauthorized access.

Finally, your IT team should ensure that they maintain a secure network infrastructure with up-to-date firewalls, intrusion detection systems, secure DNS services, and antivirus software. It’s crucial to regularly patch and update software and operating systems to address vulnerabilities that attackers may exploit, and provide warnings about potentially malicious URLs your employees or users receive.

Stay Compliant with Data Protection Regulations

Although laws and regulations related to credential harvesting and data protection vary across different jurisdictions, many overlap significantly with two of the most prominent data privacy and security frameworks: GDPR and CCPA.

The General Data Protection Regulation (GDPR) is enforced in the European Union and European Economic Area. It sets out comprehensive data protection regulations and mandates organizations to protect personal data, including credentials. It imposes strict requirements for data processing, consent, data breach notification, and individual rights.

The California Consumer Privacy Act (CCPA) is a state-level law in California that grants consumers certain rights about their personal information which affects organizations far beyond California’s jurisdiction. It requires them to disclose data collection practices, allow their users to opt-out of data sales, and maintain reasonable security measures to protect personal information.

Prevent Credential Harvesting Attacks with DataDome

We haven’t yet discussed one of the easiest and most effective ways to eliminate the risk of credential harvesting attacks: DataDome, online bot and fraud protection software that protects all your web, mobile, and API endpoints against automated threats. This includes credential harvesting attacks, but also DDoS attacks, scraping attacks, and other types of online fraud.

Cybercriminals don’t attack organizations manually. They do so with automated scripts and algorithms. DataDome uses advanced AI and ML algorithms, as well as a 24/7 SoC team, to stop these automated threats dead in their tracks. It does so within milliseconds and without impacting your user experience.

DataDome deploys easily in your existing tech architecture, has a 0.01% false positive rate, and comes with intuitive dashboards your IT and DevSecOps teams can use to understand how DataDome protects your organization. Our BotTester tool can give you a peek into the basic bots reaching your websites, apps, and/or APIs. To spot more sophisticated threats, start a free 30-day trial.

Credential Harvesting FAQs

What are credential harvesting attacks?

Credential harvesting attacks involve stealing sensitive information like usernames and passwords through methods like phishing, smishing, or code exploits, all designed to trick users into revealing their credentials.

How can credential harvesting be prevented?

Credential harvesting can be prevented by educating users about phishing, using strong and unique passwords, enabling multi-factor authentication, and implementing robust security measures such as email filtering, employee training, and credential stuffing prevention software.

What is an example of account harvesting?

Account harvesting is when cybercriminals collect a large number of user accounts and credentials, usually through automated tools that scrape usernames and passwords from a compromised website.

How are credentials captured?

Credentials are captured through various methods such as phishing emails, fake websites, keyloggers, or social engineering tactics, where users unwittingly provide their login information to attackers.

DataDome
Kira Lempereur
Sr. Technical Writer
Kira Lempereur is the Sr Technical Writer for DataDome and the leader of the company’s LGBTQ+ pod. She collaborates with the threat research, marketing, and product teams to build content for thought leadership in bot and online fraud mitigation. Kira has more than 6 years of experience in the cybersecurity industry, from enterprise antivirus software to bot mitigation.

Related posts

DataDome
dd product home overview

Still exploring?

Start with an on-demand demo.

Watch a demo