IT security in remote work environments is no easy task for companies. If the switch to the home office is then to be implemented in the shortest possible time, the digital risk for employees takes on entirely new dimensions. Every work computer that is connected to private or public Wi-Fi networks automatically increases the surface area for cyberattacks. And every new tool from the cloud harbours security risks.
As a rule, applications are therefore subjected to a detailed review by the company’s IT before they are made available to employees. During the Corona crisis in recent weeks and months, however, there was simply not enough time for this in many cases.
Are You Sure You Want To Zoom In or do you prefer to make a phone call?
Zoom is a prime example of this. The video conference portal experienced a boom with Corona and recorded an increase in daily data traffic of 535% in March alone.
It didn’t take long for critical voices to draw attention to the inadequate security measures and data protection guidelines of the solution. These justified objections changed little in terms of further dissemination both in the private and professional environment. In April, up to 300 million users worldwide took part in Zoom video conferences every day.
Zoom is just an example of a number of solutions that employees download on their own initiative and without coordination with IT and, as shadow IT, cause headaches for those responsible for security in companies.
The risk of uncontrolled IT assets is great. Suppose the correct setup and integration into a holistic security strategy (including security and version updates) are missing. In that case, it is only a matter of time before cybercriminals exploit security gaps in applications.
Especially since the security awareness leaves a lot to be desired among many users, the consequences of poor password hygiene, for example, can be demonstrated again using Zoom.
In April, credentials for more than half a million Zoom accounts surfaced on the dark web and criminal marketplaces. However, Zoom itself had not been hacked. The passwords for sale come from previous data leaks that are now being used again by cybercriminals to launch attacks on online accounts.
Uninvited Guests In Your Online Account
If such guidelines are not enforced enough on the corporate side, it is only a matter of time before accounts are hacked and leaked access data are offered for sale on the dark web.
This can be expensive for companies. In the US alone, account takeover fraud (ATO) losses amounted to over $ 5.1 billion in 2017. ATO is part of the standard repertoire for cybercriminals. Once you have access to an account, sensitive data can be collected for phishing attacks or used for blackmail (sextortion).
In other cases, the reports only serve as a base camp to further infiltrate the company network, smuggle in malware or use the user’s technical infrastructure (botnet). Initially, the attackers mainly targeted e-commerce websites and bank accounts, but now every platform that requires registration is exposed to the risk of identity theft. With Corona and home office, video conference platforms like Zoom have now come into focus.
The number of sensitive access data in the open, deep and dark web is continuously increasing. The threat intelligence expert Digital Shadows has over 16 billion leaked credentials in its database.
In their research, the team of analysts also came across a new scam in the sale of so-called combo lists. Usually, these are long text files that contain millions of username and password combinations. The best-known example is “The Anti Public Combo List”, discovered in 2017, which included more than 562 million login details and was composed of various data leaks such as Adobe, Dropbox, LinkedIn and Yahoo.
Combolists-as-a-Service (CaaS) have also been found on the Dark Web since 2019:
Credential Stuffing & Bot Technology
The question rightly arises whether an employee’s leaked Netflix password represents a security risk for their company. Statistically, the success rate of credential stuffing is relatively low.
An attacker would have to try his luck with 1,000 accounts to hit the bull’s eye with the right password. The fact that the business is still worth it is due to the sheer mass of exposed login information and the use of modern credential stuffing tools and bot technology.
Put simply; a bot is a software that interacts with other websites and end devices over the Internet. Several bots can be linked to form a network (botnet) and can start hundreds, thousands or tens of thousands of attempts to log into one account at the same time.
This enables cybercriminals to optimise and automate account takeovers and identity theft to a high degree. Since the login attempts seem to come from different device types and IP addresses, the security measures of web applications are of little help either (e.g. blocking the IP addresses in the event of multiple unsuccessful logins). Usually, only the increase in the total volume of login attempts reveals that a credential stuffing attack is taking place.
Seven Security Measures Against Hackers
So how can such attacks be stopped and account takeovers and identity theft prevented? The one solution does not exist for it. Instead, companies should implement different and interlocking security strategies and enforce them holistically – both in the home office and at the workplace.
1. Monitoring Of Employee Access Data
There are several free tools, websites and services that can help companies monitor digital risks. On the HaveIBeenPwned website, users can quickly and easily search for data leaks – for example, a company’s email domain. Other monitoring tools scan the open, deep and dark web for exposed data and report data protection violations and current threats.
2. Monitoring Company Brand Names
Anyone who moves online is automatically exposed to digital risks; this applies to the individual user as well as to companies. Continuous monitoring of threats to the website, social media, customer portal and online shop can not only minimise the risk of account takeovers but also prevent reputational damage and brand abuse (spoof domains).
A simple form of monitoring is Google Alerts, which, if adequately configured, provide useful indicators of impending ATO attempts.
3. Monitoring Of Customer Access Data
What applies to employee data also applies to customer data from the online shop, newsletter subscribers or business partners. As a precaution, companies should design communication strategies here to be able to inform affected users quickly and transparently about data leaks in an emergency.
4. Online Firewall For Web Applications
Commercial and open-source firewalls such as ModSecurity help identify and block attacks on access data.
5. Raise Security Awareness
Cybersecurity is every employee’s job. Correspondingly, companies should be vigorous internally about digital risks, threat actors and scams. This includes training courses that show why good password hygiene is necessary for the self-interest of users, as well as simple guidelines and best practices. Besides, it must be clear how to react in an emergency and who should be notified of incidents.
6. Monitoring Of Credential Stuffing Tools
In order to understand which security measures are effective against ATO and credential stuffing, it is necessary to know the tools and technologies used by the attackers. Credential stuffing tools have continued to evolve over the past few years. One of the most popular tools among hackers is SentryMBA, which is now able to bypass security controls such as CAPTCHAs.
7. Two-factor Authentication (2FA)
To create an additional barrier and to slow down attackers, another factor is included in the authentication process in addition to the password. The best known are randomly generated SMS tokens that are sent to the user’s smartphone and, according to Google, block 100% of automated bot attacks. 96% of large-scale phishing campaigns and 76% of targeted attacks (spear phishing) can also be defused in this way. Nevertheless, SMS tokens are rightly regarded as the most insecure 2FA variant, because the tokens can be intercepted on their way to the cell phone.
As with breaking into a house, the user account can also be cracked in different ways: Either you gain entry by force or you look for the spare key under the doormat. Companies that want to protect their employees and customers from account takeovers do not have to hide behind a battery of passwords and security measures.
However, they shouldn’t make it too easy for the attackers either. The key to an effective strategy lies more in finding the right balance between security and data protection on the one hand, and practicality and user-friendliness on the other.