Referenced in popular films and television programs, “The Dark Web” has achieved what many cyber security concerns fail to do in that it has entered the public consciousness. It is generally understood that the dark web is a collection of on-line sites and marketplaces, notorious for facilitating illegal activities and harboring stolen information. The details of how this underground economy function, the various levels of sophistication of its participants, and how information ends up in these forums is less broadly understood.
The trade in compromised passwords in dark web markets is particularly damaging. Cybercriminals often exploit password leaks to access sensitive data, commit fraud or launch further attacks. Let’s explore the various ways passwords are leaked to the dark web and discuss strategies for using dark web data to protect your organization.
One of the most common ways passwords are leaked to the dark web is through data breaches. Cybercriminals target organizations and gain unauthorized access to their systems and databases. Once inside, they can steal large volumes of user data, including passwords, which are then sold or traded on the dark web. A “first party” data breach is when that breach occurs in a network you are responsible for (i.e. your company). This is typically a top-of-mind concern for security and IT professionals. However, breaches of third parties that hold information about your users can be equally damaging.
Because users often reuse passwords across multiple services, or use slight variations or formulaic passwords, these disclosures are critical. They result in threat actors gaining access to your network or SaaS services by simply logging or through brute forcing a greatly reduced key space which may go unnoticed.
Phishing attacks are another prevalent method used by cybercriminals to obtain passwords. These attacks involve sending deceptive emails, text messages, or social media messages that trick users into revealing their login credentials. Once the attacker has the victim's password, they can easily access their accounts or sell the information on the dark web.
Keyloggers and malware
Keyloggers and malware are stealthy tools used by cybercriminals to record a user's keystrokes, including passwords. These can be installed on a victim's device through malicious emails, downloads, or infected websites. This is particularly concerning in cases where the endpoints in question are not fully managed by the company.
Contractors, network devices provided by service providers, users with BYOD equipment or other semi-public or public devices users might access a cloud service from are all examples of devices which can result in loss of credentials because of malware infection - regardless of the endpoint security measures taken on company owned devices. What is particularly insidious about these infections is that, unless addressed, they continue to report current credentials up to the command-and-control services across password changes and platforms.
Sometimes, passwords are leaked to the dark web through insider threats. Disgruntled employees, contractors, or other individuals with access to sensitive information may intentionally leak passwords as an act of revenge or for financial gain.
Protecting Your Passwords: Best Practices
While the risks associated with password leaks on the dark web are real, there are steps you can take to protect your organization from being impacted by these disclosures:
- Educate users: By now it is difficult to find an organization that doesn’t have a policy and technical controls to enforce the use of strong passwords in their environment. Building on that to train users when it is acceptable to use a company provide email address for services outside the company, and that any such services must use a unique and complex password, and preferably MFA if available, is a great next step.
- Enable multi-factor authentication (MFA): MFA adds an extra layer of security by requiring additional verification methods, such as a fingerprint, a text message code, or an authentication app. These solutions are not fool proof but they do significantly raise the bar for threat actors attempting to breach accounts.
- Regularly audit your passwords: Per the latest NIST guidelines on password best practices, password strength should be tested and any account found that is unable to withstand compromise attempts be made to change the password. This should be combined with additional user education for the account owner to help them select more resilient passwords.
- Use a password manager: Password managers generate, store, and autofill complex passwords, making it easier to maintain strong, unique passwords for each of your accounts. Having an approved, standard password manager solution for your organization and training for all employees on its use can significantly improve overall password health.
- Monitor dark web data: Incorporating dark web data into your threat intelligence efforts allows you to proactively identify and evaluate the risk of disclosed credentials associated with your domain. Using automation to compare recovered data with active accounts and password values in use, taking automated action to secure at-risk accounts and remediating all exposed SaaS platform access will greatly reduce your organizations risk of account take over, data disclosure and malware infections.
Understanding the various ways passwords are leaked to the dark web, and how to mitigate the resulting risk, is essential for protecting your IT operations. By following best practices and staying vigilant, you can further safeguard your organization and its stakeholders in today's ever-evolving cyber landscape.