Password-Stealing Malware Remains Key Tool for Cybercriminals

Password-Stealing Malware Remains Key Tool for Cybercriminals

Verizon’s recently released 2017 Data Breach Investigation Report shows that in 81% of the hacking-related breaches that were studied, cybercriminals used stolen passwords to gain access to their victim’s information systems. This sobering statistic highlights the need for organizations to detect and prevent password theft and secure themselves against attacks resulting from credentials compromised elsewhere.

Verizon 2017 report executive summary

Figure Credit: Verizon 2017 Data Breach Investigations Report, 10th Edition.

We’ve known for a long time that the majority of data breaches involve the use of stolen passwords, so the statistics in the Verizon study are not all that surprising. Still, it’s troubling to see this same issue accounting for so many data breaches year after year.

Password-Stealing Malware

Cybercriminals are increasingly effective at stealing user credentials. They obtain passwords using numerous methods, including phishing attacks, password grabbing keyloggers and spyware, and absconding with entire databases of user account information. Nearly all of these techniques to steal credentials involve some sort of malware. Phishing attacks use malicious emails, typically coupled with malware-laden websites. Spyware and keylogging malware has been with us for decades, yet these malicious programs continue to grow in number and sophistication. Administrative credentials are frequently obtained by advanced malware that captures passwords from memory or network packets, enabling attackers to access privileged information like user account databases.

Password Reuse on Multiple Sites

After password stealing malware has obtained user login credentials, attackers use them to penetrate the targeted system. But that’s not the end of the damage. Cybercriminals will also use the stolen credentials to attempt access into networks and services owned by other entities. Attackers capitalize on the fact that individuals tend to use the same password on multiple sites. So, capturing a user’s Facebook credentials, for example, will likely give criminals access to the victim’s bank or corporate accounts.

Kelly Sheridan of DarkReading says: “Credential stuffing is the process of using automated systems to brute-force a website with login information stolen from another site, hoping it will match with an existing account. It’s easy for attackers to automate account takeover by identifying where users employ the same credentials on multiple sites and spreading their attack to more accounts.”

According to the Verizon report, “there are armies of botnets with millions (or billions) of credentials attempting to reuse them against other sites. In other words, even though components of authentication weren’t compromised from you, it doesn’t mean they were not compromised.”

This report, and many others like it, makes it very clear that stolen passwords are the key to most data breaches. Since most passwords are stolen by malware, it’s critical that individuals and organizations everywhere improve their tools and procedures to protect themselves and others from password stealing malware. In addition, it’s essential to be able to detect network compromises and resulting malicious activity enabled by credentials stolen elsewhere.


“The most secure password in the world is useless if a hacker steals it, but it becomes much less useful if it’s not the same password you use for every single log-in.” —Rick Broida, CNET

Bert Rankin

Bert Rankin

Bert Rankin has been leading technology innovation for over 25 years including over 5 years in security solutions that prevent cybercrime. He is a frequent blogger and is often quoted in security-related articles. Bert earned his BA from Harvard University and an MBA at Stanford University.
Bert Rankin