Bad news: There are a lot of people out there who want your passwords. And there are a multitude of reasons why they want these passwords… but here’s the tl;dr: None of them are good. Let's take a look at the types of threat actors that want your passwords, why they may want them, how they can get them, and how you can minimize the impact to you should a password fall into the wrong hands.
We’ll break this down into three main groups: Nation-states, cybercriminals, and malicious insiders. You’ll find motivations vary widely between these groups but ultimately the end result is the same - getting access to sensitive data and/or systems.
Nation-States
This is the fancy cyber (and political science/international affairs) way of saying governments. They want passwords so they can get access to systems, information, or both. And they want that access so they can steal that information, set up a lasting presence in those systems, some combination of those two, or in relatively rare cases, to destroy the data and/or the system permanently. This last one can have devastating consequences, particularly if that data or system is related to critical infrastructure (think shutting down the power grid).
Cybercriminals
It’s all in the name here, folks. The “why” is easy on this one… these are financially motivated criminals who want money. Passwords provide two avenues for making money for them: Either selling the passwords themselves (the average login credentials fetch about 10 dollars on the dark web) or for getting access to accounts or systems to then generate money through one of a variety of means, including ransomware, data exfiltration and extortion, or if it’s a financial account, draining the money from the account directly.
Malicious Insiders
While it would be an accurate application of the term, this doesn’t refer to co-workers who microwave broccoli or fish in the lunchroom. These are colleagues in your company who may be seeking to do harm to a firm by abusing access to its networks. They may want your password solely to conduct bad actions under your account - making it look like you are the culprit and complicating forensic efforts. Or they may want your password because you have access to different parts of a company network… sensitive financial information, for instance, and access to industrial control systems that could cause physical damage.
How can they get them?
There are some commonalities across these bad actors in how they may try and get your password - via commodity malware they purchase online or buying your credentials directly from a dark web vendor selling them from a previous breach. There are also some distinctions between these bad actors and the methods they may use to get your password. Let’s take a look at the differences.
Nation-states have the most training and resources (i.e., people and money), so they have the greatest number of options. They will often develop their own specific malware, frequently leveraging new or unreleased software vulnerabilities, to gain access to devices or networks and exfiltrate passwords. They may also target someone directly with a well-crafted spearphishing email to get them to offer up their password unknowingly. Or they may target a service provider upstream, like a cloud service provider, to gain access to numerous accounts and credentials at the same time.
Cybercriminals, as you would expect, take a more entrepreneurial approach to the problem. Some groups will focus largely on obtaining passwords via infostealers or phishing emails and then sell these credentials on the dark web (for more on infostealers, see our blog post
here). Others will leverage malware created by other groups that create phishing kits or infostealers to be sold as a service, the same way most people would buy office software. These malware-as-a-service (MaaS) offerings are designed to make it easy for someone with minimal technical knowledge to configure and launch phishing or malware campaigns. They feature clean user interfaces that make it easy to configure the user’s attacks.
Malicious insiders have a leg up on the other types of threat actors because they generally already have access to your offices and networks. They can check your desk for written passwords or peruse shared folders on your network to see if anyone has stored any passwords on a SharePoint site or other common access area. They may also check code repositories for hard-coded passwords, all with the goal of gaining illicit access to do some sort of damage to their employer and/or co-workers.
How can you minimize damage?
There won’t be any surprises here… use a password manager. You only have to remember one master password, you can easily create and store complex and unique passwords for each of your accounts, and if a password gets exposed in a breach, it’s easy to generate a new one. LastPass also offers free credential monitoring to all of our customers. If you’ve elected to use dark web monitoring, our service continuously monitors a database of breached credentials and alerts you so you can take proactive action to protect yourself. Having unique passwords for your accounts also minimizes the damage in the event your credentials are exposed and limits what a bad actor can do if they get their hands on it. These days, it’s just a matter of when, not if, some of your credentials are exposed, so it’s best to be prepared for when it happens, and we can help you do that.
