It was only ever a matter of time, and new research has now revealed just how far along the 'marketing database provider' road cyber-criminals have travelled in order to curate, package and sell stolen credentials. These so-called combo lists are nothing new, of course, gathering together information from multiple breaches. What is new, however, is that entrepreneurial cyber-criminals are now renting out access to these databases: Combolists-as-a-Service is thing now.
The Photon Research Team at Digital Shadows report their findings in an account takeover kill chain analysis that details how one such Combolists-as-a-Service provider, DataSense, uses a marketing narrative on the CrackedTO cracking forum to push their offering as a tradeable service commodity.
"DataSense provides users with up-to-date combolists and a self-proclaimed quality product," the report states, continuing that the team behind it are described as "experienced crackers..who use years of dorks and cracking experience." Dorks, in case you wondered, are not slow-witted folk but rather specifically crafted search queries to find exploitable sites and servers.
"Combolists are a valuable commodity across the cyber-criminal landscape," Viktoria Austin, strategy and research analyst at Digital Shadows, told SC Media UK, " because they enable cyber-criminal threat actors to build on the gains of their peers." So, for example, credentials obtained as part of a combolist can be used in credential stuffing campaigns, phishing attacks (both targeted and opportunistic) and support account takeover opportunities to facilitate other crimes such as banking fraud.
"We’ve also seen actors offering comprehensive sets of breach data as well as slimmer lists of a breach entity, almost as a way to hook the cyber-criminal," Austin says, continuing "the slimmer lists of the breach entity is almost like the free trial of a product, with the comprehensive set of data being the full package."
The threat research team at Netacea has also been tracking the growing account takeover market over the past 12 months. "Attackers are adapting to fulfil the demands of the market, and account re-sellers are not restricted to the dark web anymore," James Maude, head of threat research at Netacea told SC Media UK, "we’ve seen a rise in the sales of compromised accounts such as streaming services and loyalty points schemes on the regular internet too, with services like Parade Shop making stolen accounts accessible to anyone who knows what they’re looking for."
Javvad Malik, security awareness advocate at KnowBe4, agrees that combolists are increasing in popularity and the demand for good quality ones, sorted by specific industry verticals or geographic locations, is increasing. "This is driven by the need for cyber-criminals to increase profit margins without operational overhead and increased risk," Malik says referring to the Combolists-as-a-Service approach, "the blending of traditional criminal organisations are taking advantage of this bullet-free way of making money in the cyber-realm."
We recently reported that the National Cyber Security Centre (NCSC) was achieving its aims as there was a reducing criminal infrastructure, by way of fewer IPs used to attack UK systems. "As the NCSC points out, the sources of abuse are narrowing, and this is a good thing," Chester Wisniewski, principal research scientist at Sophos says, "but this could be a temporary reprieve." Wisniewski argues that cyber-criminals have been specialising for years and this is just a different way they have subdivided.
"It’s likely that cyber-criminals are using VPN’s so the IPs being used are from a more concentrated pool," Austin adds, "they could be using cracked VPN credentials, hence further concentrating the IPs used." And cracking actors do tend to use off-the-shelf software to launch attacks, so the subdivision and specialism lies in the software.
As for mitigation advice, Stuart Sharp, VP of solution engineering at OneLogin, suggests that when it comes to protecting organisations, "it's advisable to use multi-factor authentication (MFA) as the best way to prevent account takeover." When it comes to the threat imposed by compromised credentials more generally, then he suggests imposing more complex password policies. "The ability to check in real time as to whether a user is going to reuse a compromised credential when creating their password is gaining traction in the market," Sharp concludes, "and something that will prove to be important moving forward."