Around 15 billion credentials are in circulation in cyber-criminal marketplaces.

According to new research from Digital Shadows, a 300% increase in stolen credentials from over 100,000 data breaches in the past two years means there are more than 15 billion credentials in circulation. These include credentials for bank accounts, social media and video streaming services.

Of these, more than five billion were assessed to be ‘unique’ – i.e. they have not been advertised more than once on criminal forums.

Rick Holland, CISO and VP of strategy at Digital Shadows, said: “The sheer number of credentials available is staggering and in just over the past 1.5 years, we’ve identified and alerted our customers to some 27 million credentials – which could directly affect them.

“Some of these exposed accounts can have (or have access to) incredibly sensitive information. Details exposed from one breach could be reused to compromise accounts used elsewhere.”

Many account details are offered free of charge, but of those on sale, the average account trades for $15.43. Bank and financial accounts are the most expensive, averaging at $70.91, however they trade for upwards of $500, depending on the ‘quality’ of the account.

There was also evidence that methods to bypass 2FA were commonly discussed on cyber-criminal forums. In one example, in December 2019, a user on the Russian-language cyber-criminal forum Exploit created a thread to sell a method designed to bypass 2FA systems at a United States-based online bank. They stated that their system would allow seven to nine out of 10 accounts to be accessed without requiring SMS verification, and that they considered their offer to be worth $5000.

In an email to Infosecurity, security researcher and speaker Troy Hunt said he was not “overly surprised by the numbers” as he had noticed a lot more credential stuffing lists in circulation recently and just like the pandemic itself, they seem to be replicating at a fierce rate.

“It’s one of those things that’s very easy to propagate and I often see the same data represented in different derivatives, for example, expressed by the domain of the email account or the geographic location of the account holder.”

Asked if he felt more accounts were being created due to people working from home and getting more deliveries, Hunt said: “Personally, I think it’s too early to see an impact on credential stuffing lists due to the pandemic. Yes, there’s a lot more people working remotely, but these lists are curations of previous data breaches bundled up and passed around as sources for brute-forcing login pages.

“These lists are also dependent on having passwords accessible in either plain text or with weak cryptographic protection (i.e. MD5 or SHA-1 hashes) which fortunately is becoming increasingly uncommon.”

Digital Shadows also observed the growth of ‘account takeover as-a-service’ where, rather than buying a credential, criminals can rent an identity for a given period, often for less than $10.

For this price, the service collects fingerprint data (such as cookies, IP addresses, time zones) from an individual (the target), which makes it considerably easier to perform account takeovers and transactions that go unnoticed. Such is the popularity of these services that users on forums are desperate to acquire invite codes to this market.

Holland added: “The message is simple – consumers should use different passwords for every account and organizations should stay ahead of the criminals by tracking where the details of their employees and customers could be compromised.”

People in the UK are being targeted by a new phishing scam designed to trick victims into handing over details of their HSBC bank account.

The scam, discovered by litigation specialists Griffin Law, begins with a bogus text message that claims to be from the banking and finance giant informing the receiver that a new payment has been made through the HSBC app on their phone.

The user is then told that, if they are not responsible for the payment, they should visit the site “Security.hsbc.confirm-systems.com” to validate their bank account, before being directed to a fake landing page which asks for their username and password, followed by a series of verification steps.

The fraudulent site, which uses official HSBC branding, then asks for specific account details and personal data of the individual.

Griffin Law claimed that almost 50 people have come forward to say they have received the text message so far, with some able to identify the scam due to the fact they do not have a HSBC app installed on their phone. Thankfully, thus far, there have been no current reports of the scam being successful, according to Griffin Law.

Chris Ross, SVP, Barracuda Networks, said: “This is the latest in a long line of increasingly sophisticated phishing scams, designed to trick the victim into handing over their personal financial details.

“Increasingly, we are seeing examples of cyber-criminals using the branding of major banks to create realistic-looking fake websites, in order to extract personal financial information.”

When it comes to tackling the problem, all companies and users must remain vigilant of such scams, he added.

“SMS messages are often used by criminals to catch workers off-guard, using their personal mobile number. Ensuring security awareness within the workforce is critical, and it’s important that all employees are trained about how these schemes operate as well as how SMS messages can be exploited as part of a wider phishing scheme designed to steal company funds and data.”

Researchers have once again spotted crooks using calendar invitations to mount phishing attacks. The Cofense Phishing Defense Center found the attack in enterprise email environments protected by Proofpoint and Microsoft, it announced last week.

The phishing scam uses iCalendar, which is a media type that lets users store and exchange calendaring and scheduling information, including events and tasks. iCalendar files are usually delivered with an .ics extension. The company found the attackers using this file with the subject “Fault Detection from Message Center,” from a sender with the display name Walker. It came from a legitimate account belonging to a school district, indicating that the attackers were using a compromised email. That enabled them to bypass email filters relying on the DKIM and SPF technologies that authenticate sending domains.

When the victim opens the .ics file, it proposes a calendar entry displaying the URL, along with a message saying that it is from a security center. The web page behind the URL is hosted on Microsoft’s SharePoint site, and displays another link to a phishing site hosted by Google that appears to show a Wells Fargo login page.

Victims gullible enough to cooperate must submit their login details, PIN and account numbers, along with their email credentials. Doing so hands the attackers the keys to the kingdom. The phishing site will then send them to the legitimate Wells Fargo website to quell any suspicion.

This may be a new campaign, but it is not a new technique. A similar attack cropped up last June, when Kaspersky found attackers using Google’s auto-add feature. In that attack, smartphone users would see the invitation as a pop-up invitation, displaying a link to a phishing URL that asked for their credit card data and personal information.

This attack shows that cyber-crooks are still using the same attack vectors to deliver their scam material. Cofense also points out that using legitimate domains designed to host user content is a common tactic, and a perennial problem for the likes of Microsoft and Google. It gives the attackers an air of legitimacy because they get to take advantage of these sites’ built-in SSL certificates, which add the reassuring green padlock icon to the side of the URL in a browser’s address bar.