Credential theft was substantially up in the United States during the third quarter – even as declines were charted in Europe and Asia.
Periodic analysis from Blueliv shows a whopping 141 percent increase in compromised credentials from North American targets between June and August compared to the March through May period. In contrast, there were fewer compromised European and Asian credentials detected over same period (22 percent and 36 percent decreases respectively).
“These trends in cybercriminal success rates suggest that there have been some profitable campaigns in the North American region over the summer quarter,” Blueliv analysts said, in a posting this week.
However, despite an overall decrease in the European and Asian regions over the three months, the numbers when looked at on a month-to-month basis show some interesting regional-specific trends. For instance, there was a steep drop in geolocated credentials detected from Europe and Russia (33 percent decrease), against a huge rise in Asia during the same period (77 percent increase).
“Blueliv observations suggest that a sizeable botnet was taken down in Europe, while a campaign focusing on different countries in Asia was thriving,” the firm said.
Malware Trends
When it comes to the tools that cybercriminals are using to harvest personal details from their victims, Blueliv pointed out in its report that cybercriminals use a variety of methods for stealing credentials, depending on their skill set and resources. One of the easiest ways to collect credentials from their victims is using phishing as an attack vector – it requires little skill to craft a social-engineering email, and templates are available for creating phishing sites.
Malware on the other hand is more efficient given that most people have reams of credentials stored on their computers. However, using it often requires greater knowledge and resources than a phishing campaign would.
“Nowadays, malware infections are the main ‘tool’ used to steal credentials, in terms of efficiency, volume and timeliness,” Blueliv said. “Obviously, success depends on the type of malware used and its targets, but it is possible to buy cheap kits or use source code leaks in order to achieve the objective.”
Pony is the most popular malware used to steal credentials; it’s capable of credential theft across a large list of email, instant messenger and FTP applications, and also VPN and SSH software. It also has the ability to perform brute-force attacks against user accounts and uses reverse engineering techniques to decrypt passwords stored in encrypted format. Blueliv noted that Pony botnet steals on average 8,000 credentials, but depending on the binary distribution it could steal up to millions of passwords.
Interestingly, Blueliv’s latest analysis shows that the LokiPWS (a.k.a. Lokibot) malware family distribution is growing faster than the Pony stealer.
Back in May, Pony and LokiPWS were consistently among the most active malware, with Pony ahead of the others by several lengths. Still, at the time, LokiPWS malware distribution had increased by more than 300 percent over the previous 12 months. Now, LokiPWS samples have almost doubled again, with a 91 percent increase quarter-over-quarter – and it’s closing the gap with Pony.
LokiPWS, which is a hybrid mobile malware with characteristics of a banking trojan as well as an info-stealer, is for sale for between $200 and $300 on the Dark Web. It’s a nasty piece of work: Aside from the well-known overlay attack all bankers have, it can steal the victim’s contacts, read and send SMS messages, exfiltrate browser histories, launch mobile banking applications, and even render the phone unusable by preventing the user from accessing it.
“Source-code leaks of different versions of LokiPWS in recent years have probably influenced its increase in usage as a credential-stealer, but this does not mean that we should discount the likes of Pony, Emotet, KeyBase and AZORult, which continue to be disturbingly effective around the world,” Blueliv noted.