Cyber criminals are always on the hunt for user and corporate credentials (usernames and passwords). If you have someone’s credentials, you can log in to their systems, access valuable data and perform fraudulent transactions on their behalf.

Credentials are typically extracted by cyber criminals in one of three ways:

  1. Key-logging malware captures users’ keystrokes during log in and sends the information to the attacker. There are various techniques to compromise user machines with such malware, including drive-by downloads, watering hole attacks and infected USB drives.
  2. A phishing site is used. This is a fake website that is designed to look like a legitimate log in page, such as an online banking website or online applications such as Google Docs. To get the user to the phishing site, the attacker sends a spear-phishing message that looks like it came from a trusted source, such as a bank, colleague or government office. Once the user attempts to log in to the phishing site, the credentials are sent directly to the attacker.
  3. Cyber criminals hack into e-commerce websites and social networks to extract the user database, including user credentials. Since users often reuse credentials, it is highly likely that the same credentials can be used for logging into other systems as well.

General Recommendations

There are several things that can be done to lower the risk of credentials theft. First, don’t log in to sensitive applications from unprotected machines. Make sure your antivirus is up-to-date and, if possible, use special security solutions designed to block information-stealing malware to protect your machine.

Be cautious about possible spear-phishing emails, even if the message seems to come from a trusted source. When receiving a message that includes a link to a website, try to verify that the request is genuine and that it takes you to a relevant site. If possible, don’t click the link. Instead, open your browser and type in the address yourself.

Change your passwords often, use complex passwords and don’t use the same credentials across multiple systems. For systems that are especially critical to you or your business, consider using two-factor authentication. This adds additional user information requirements when logging in and is therefore harder to compromise.

Protecting Corporate Credentials

IBM Security Trusteer Apex Advanced Malware Protection is an advanced threat protection solution designed to protect user machines from advanced, information-stealing malware. Its exploit prevention and data exfiltration prevention technologies are designed to prevent advanced malware from compromising the user endpoint. In addition, Trusteer Apex includes special protections to prevent corporate credentials theft and exposure:

  1. Keystroke obfuscation: Trusteer Apex obfuscates user keystrokes during log in procedures, preventing key loggers from capturing user credentials.
  2. Prevent corporate password exposure on phishing sites: Trusteer Apex ensures corporate credentials are used only for logging into corporate Web applications. If the user is trying to log in to a phishing site, the login will be blocked.
  3. Prevent reuse of corporate credentials on noncorporate sites: Trusteer Apex prevents users from using their corporate credentials to log in to nonapproved public sites, such as e-commerce sites or social media. The user will be requested to change his or her credentials before logging into the website.

Update: Massive Hack Exposes 2 Million User Credentials

Only one day after we blogged about the importance of user credential protection, one of the biggest credentials breaches came to light. The breach was a result of key-logging malware that was installed in numerous computers around the world. The malware captured usernames and passwords of users logging in to more than 93,000 websites. The malware sent the information to a server controlled by the attackers. The breached credentials allow the hackers to log in to sensitive applications such as ADP payroll systems.

More from Data Protection

Data Privacy: How the Growing Field of Regulations Impacts Businesses

The proposed rules over artificial intelligence (AI) in the European Union (EU) are a harbinger of things to come. Data privacy laws are becoming more complex and growing in number and relevance. So, businesses that seek to become — and stay — compliant must find a solution that can do more than just respond to current challenges. Take a look at upcoming trends when it comes to data privacy regulations and how to follow them. Today's AI Solutions On April…

Defensive Driving: The Need for EV Cybersecurity Roadmaps

As the U.S. looks to bolster electric vehicle (EV) adoption, a new challenge is on the horizon: cybersecurity. Given the interconnected nature of these vehicles and their reliance on local power grids, they’re not just an alternative option for getting from Point A to Point B. They also offer a new path for network compromise that could put drivers, companies and infrastructure at risk. To help address this issue, the Office of the National Cyber Director (ONCD) recently hosted a…

Why Quantum Computing Capabilities Are Creating Security Vulnerabilities Today

Quantum computing capabilities are already impacting your organization. While data encryption and operational disruption have long troubled Chief Information Security Officers (CISOs), the threat posed by emerging quantum computing capabilities is far more profound and immediate. Indeed, quantum computing poses an existential risk to the classical encryption protocols that enable virtually all digital transactions. Over the next several years, widespread data encryption mechanisms, such as public-key cryptography (PKC), could become vulnerable. Any classically encrypted communication could be wiretapped and is…

How the CCPA is Shaping Other State’s Data Privacy

Privacy laws are nothing new when it comes to modern-day business. However, since the global digitization of data and the sharing economy took off, companies have struggled to keep up with an ever-changing legal landscape while still fulfilling their obligations to protect user data. The challenge is that there is no one-size-fits-all solution regarding data privacy's legal requirements. Depending on the location and jurisdiction, data privacy laws can vary significantly in terms of scope and enforcement. But while the laws…