KazantsevAlexander - Fotolia
Threat actors are auctioning off domain administrator credentials, selling account access to the highest bidder for up to $140,000, according to San Francisco-based cybersecurity vendor Digital Shadows.
In a report this week, titled "From Exposure to Takeover: The 15 billion stolen credentials allowing account takeover," Digital Shadows presented insights compiled for two years of research related to stolen credentials and account takeovers. The vendor estimated that more than 15 billion credentials are in circulation among cybercriminals, with roughly 5 billion of credentials those being unique.
Among the report insights are those related to the auctioning of domain admin credentials, which sold for an average of $3,139 on dark web marketplaces.
"Due to the value of certain credentials, such as a domain administrator account, cybercriminals are driven to procure the best price for their product. In an auction scenario, the vendor will set a starting price, outline a minimum increment bid amount, and determine an immediate-sell price for customers that may want to buy the credentials outright," Kacey Clark, threat researcher at Digital Shadows, told SearchSecurity via email. "This method is common on cybercriminal platforms because the vendor can outline the rules, establish a timeline for the sale (while potentially eliminating slow or hesitant responses), and continuously negotiate up."
In the report, researchers noted they found actions listing admin credentials for various unnamed enterprises described as "petrochemical company," "cybersecurity company" and "architecture and engineering company," as well as several state governments. Some auction listings had additional information such as the number of systems in a network, the number of employees and the company website's Alexa ranking.
The crux of the report involved the sale of accounts at all shapes and sizes. For example, consumer antivirus account access sells for just over $20 on average, while media streaming, social media, and file sharing accounts were traded for under $10. Banking and other financial accounts are sold for an average of $70.91 apiece, making them the most valuable.
Another section of the report touched on two-factor authentication (2FA) and how it's beatable given the right tools on the threat actor end. For example, in the case of SMS-based 2FA, a technique called SIM-jacking allows cybercriminals to use social engineering methods to convince mobile network providers to transfer a victim's mobile service to a new SIM card controlled by the threat actor. In another instance, Cerberus malware was discovered earlier this year to have the ability to bypass Google Authenticator.
While Digital Shadows established that 2FA and MFA were better alternatives to a simple username/password combo, Clark recommended additional steps to protect admin accounts.
"The use of single sign-on in conjunction with multi-factor authentication can significantly decrease the risk of domain administrator credential compromise. Additionally, some organizations may want to consider session recording for all privileged accesses," Clark said. "Finally, proactively monitoring for potentially malicious behavior can be invaluable to companies facing a potential insider or outsider threat."