Tips to Protect Against Credential Theft

On 13 Nov, the Cybersecurity and Infrastructure Security Agency & the Federal Bureau of Investigation (FBI) released a statement (https://lnkd.in/ezrFy_4j) on the US government's investigation into PRC targeting of telco infrastructure: “PRC-affiliated actors have compromised networks at multiple telecommunications companies to enable the theft of customer call records data, the compromise of private communications of a limited number of individuals who are primarily involved in government or political activity, and the copying of certain information that was subject to U.S. law enforcement requests pursuant to court orders. We expect our understanding of these compromises to grow as the investigation continues." With the investigation ongoing, folks should take basic steps now to protect their personal communications. With gratitude to CISA's Senior Technical Advisor Bob Lord (https://lnkd.in/e-WxWiFF) consider the below steps: - Enable FIDO authentication or FIDO https://lnkd.in/ezzyha7t for email & social media accounts - Migrate off SMS MFA for all other logins. Migrate to FIDO/passkeys if you can, otherwise to an authenticator app - Use a password manager for all passwords. Use a strong pass phrase (https://lnkd.in/ebPpTAU5) for the vault password. - Set a telco PIN to reduce chances of a SIM-swap attack - Update the OS and all apps and turn on auto update Additional tips: 1. Encrypt all text and voice communications (some options): - Signal works well on iPhones & Android phones. - iMessage is great if all your contacts are within the Apple ecosystem, though that’s limiting - Collaboration suites like Google Workspace or Teams can work but don’t always encrypt as you might assume. For example, Teams encrypts data point-to-point, meaning it’s decrypted on Microsoft’s servers before re-encrypting it to the recipient. If you want end-to-end encryption, there’s an option, but it’s off by default and only supports two people on the call. - WhatsApp might be ok for some people based on their threat model but understand metadata it keeps (https://lnkd.in/eQkP-Ety) & how it's used (https://lnkd.in/eiZmxgi4). 2. If you use an iPhone disable these carrier-provided services that increase the attack surface: - Disable: Settings > Apps > Messages > Send as Text Message - Disable: Settings > Apps > Messages > RCS Messaging > RCS Messaging 3. Protect DNS lookups (some options): - Apple iCloud Private Relay - Cloudflare’s 1.1.1.1 resolver - Quad9’s 9.9.9.9 resolver 4. Use recent hardware: Apple (13 or newer) or Google (Pixel 6 or newer) 5. Depending on your threat model, consider enabling Lockdown Mode on iPhones: It will disable some features, but it’s manageable

To all vendors, contractors and IT staff... this basic #cybersecurity stuff applies to ALL of us. The recent #Powerschool mayhem is a reminder of the damage a compromised contractor IT user/device can do. IT users (and IT contractors) accounts and devices often have exceptional rights and access across your organization (or multiple organizations), and could do great harm if compromised. If the device is compromised, even MFA may not be enough to stop the potential harm. PLEASE - a) IT folks and contractors need to stop browsing the web, playing games, and reading email using an account that has local administrator rights on those support devices. b) Make SURE any device you authorize for VPN access has appropriate controls on it, for example, it should be impossible to disable the antivirus/XDR controls, even with admin rights (we call that tamper protection). Consider prohibiting personal use devices for VPN support activities. c) Make sure IT and contractor support devices are setup on an aggressive patching schedule. Patch within 14 days, for both operating system and applications. If you are a developer, make sure the update hash matches the download, and PLEASE don't randomly search the web for a missing driver. d) Stop reusing credentials across clients, AND stop reusing administrator passwords on systems and machines. If one ring can rule them all, and the ring gets stolen, it's game over. e) Minimize the access to least priv for all roles. I suspect a LOT of attacker intel can be gathered from your helpdesk ticketing system. Does EVERYONE need rights to ALL the tickets? Do developers need access to ALL the databases or just a few? Do they need admin rights on all ALL the servers or just run-as admin rights for certain tools. Yes it's more work, but the consequences of NOT limiting access have gotten a lot worse. I have a template signature document I have vendors and contractors sign when they request our zero-trust VPN. I will be modifying that template to include these explicit callouts (and probably a few more).

The recent credential stuffing attack on 23AndMe once again poses the question on how much responsibility vendors should take for the security choices of their users. Credential stuffing attacks take place when users reuse passwords across sites or services, then one password database gets leaked and attackers try to use those passwords to login as those users across other services. These can be hard to stop as targeted attacks (attempting to compromise just a few users at a time), but not impossible! Many services write this off as a responsibility of the user - don't reuse passwords and you're immune! But site owners have steps they can take here too: ## Require MFA Like in every attack involving passwords, MFA helps dramatically. This can be expensive to roll out for service operators though, because of the increased support cost in resetting accounts for users that lose tokens. ## IP-based monitoring This is much cheaper than MFA, and can still help here! It's not perfect, but IP-based throttling can help stop large-scale credential stuffing attacks. If one IP address is repeatedly used to attempt passwords across lots of accounts, throttle it! Even better, monitor which IP address or computer/device is typically used to login to an account. When there's a change in behavior, force the user to take a few more steps to login (send a code over email, or ask some security questions). ## Proactive password-leak monitoring Services like haveibeenpwned provide APIs to lookup password hashes to see if they've been leaked. Site owners can then warn or force users that have leaked passwords to change them. These techniques admittedly all rely on the service owner doing extra work, which never comes free. I hope to see these recent examples of data breaches help us all shift the conversation to a place where site operators do more of this by default. #credentialstuffing #23andme #mfa

Phishing incidents have gone up 856% in the last year and we're seeing the impact. It seems that every week there is a new ransomware or data breach that was the result of a compromised credential. As a result, identity security is top of mind for most technology and security teams. HYPR customers are proven to reduce account takeover (ATO) by more than 98%. Here is how it's done: 1. Eliminate shareable credentials wherever possible by deploying phishing resistant passwordless MFA across your identity stores. 2. Implement a credential reset and enrollment process that is protected against social engineering attacks. Relying on KBA and other share-able methods is a weak link in the chain. 3. Correlate identity data and signals across your identity silos and enforce real-time step up in the form of authentication or identity verification. Remember, in today's AI enabled threat landscape, organizations must be able to not just verify accounts securely, but also identities. Stay safe out there friends!

If cybercrime were its own country, it would be a $8 trillion economy, larger than almost all countries on earth. That is why job #1 for me and everyone at Visa is cyber & payment security. 24x7x365 days a year we are focused on protecting cardholders, merchants and our infrastructure. We are at the very front lines in protecting payment flows and use the most sophisticated technologies, many of which we have invented ourselves – from finger printing typing/mouse movements to deep inspection of every transaction in near real time. We have thousands of the best engineers in the world working on this across every major time zone, and our multiple operations command centers monitor every aspect of the payment flow and our global infrastructure. On a normal day we collect and analyze billions of data points and use the most sophisticated AI techniques to assist us in ensuring the security of the ecosystem we are so privileged to serve. On Cyber Monday this year, we blocked 85% more suspected fraud globally compared to last year. Our newest tools like Visa Account Attack Intelligence Score, which launched earlier this year, leverages gen AI to stop enumeration attacks even before they commence. Last year we proactively blocked $40B of suspected fraudulent transactions, and our focus on continued investment is relentless and reflected in the $11B we have spent on this over the last 5 years. With that said, the hackers are not resting. They are using cutting edge tools, AI and other social engineering techniques to try and scam you directly. The best way to stay protected is to be aware of these methods, remain vigilant and ensure you are practicing good cybersecurity habits: - Always activate every alert on all your accounts – bank, cards, emails, social media, etc. - Always have strong passwords, change them regularly and don’t use the same credentials on different sites. Ideally use a good password manager. - Activate multi-factor authentication (MFA), and better still, use authenticators from reputable companies like Microsoft, Google, or Symantec. Passkeys are another form of MFA and are supported by many organizations including Visa. Passkeys eliminate passwords and are phishing-resistant. - Lock down money transfers in your bank/brokerage accounts when you are not planning to transact. - Establish SIM PINs with your telecom providers. - Do not click on hyperlinks in emails and text messages from anyone unknown - Use a good antivirus/anti malware on your devices - Keep your applications and operating system always up to date and patched - Always confirm legitimacy of the site you are on and it is a secure ‘s’ connection (ensure the url begins with https://) As we approach peak shopping season, I encourage everyone to be aware of the latest threats and read the recent report published by Visa (link in the comments). Please stay safe and enjoy the holidays. Rest assured we will be working behind the scenes to do our part to protect you 24x7.

New Ransomware Tactic: Qilin Targets Chrome Credentials 🚨 The Qilin ransomware group is escalating its attacks with a dangerous new strategy: stealing credentials directly from Google Chrome. This shift in tactics marks a concerning development in the ransomware landscape, and here’s what you need to know: ➜ Key Insights: → Credential Harvesting: ↳ Qilin deploys a custom stealer to collect account credentials stored in Google Chrome browsers. ↳ This tactic was observed by the Sophos X-Ops team during incident response engagements, highlighting an alarming change in ransomware operations. → Sophisticated Attack Execution: ↳ The attack began with Qilin gaining network access using compromised VPN credentials without multi-factor authentication (MFA). ↳ After an 18-day dormancy period, the attackers moved laterally, deploying PowerShell scripts to harvest credentials and ultimately encrypt data across the compromised network. → Widespread Impact: ↳ The Group Policy Objects (GPOs) applied to all machines in the domain, allowing Qilin to potentially steal credentials from every device connected to the network. ↳ This extensive credential theft can lead to follow-up attacks, widespread breaches, and long-lasting threats. → Measures to Protect Your Organization: ↳ Implement Multi-Factor Authentication (MFA): Add an extra layer of security to your accounts to defend against credential theft, even if initial login credentials are compromised. ↳ Regularly Update and Patch Systems: Ensure that all systems, especially browsers like Chrome, are up-to-date to close vulnerabilities that could be exploited by ransomware groups. ↳ Conduct Regular Security Audits: Assess your network security to identify potential vulnerabilities, ensuring robust defenses are in place against advanced threats. ↳ Adopt the Principle of Least Privilege: Restrict user access to only what is necessary to minimize the potential damage from a breach. ↳ Network Segmentation: Divide your network into smaller segments to limit the spread of an attack, making it easier to isolate and contain threats. P.S. Is your organization equipped to defend against the evolving tactics of ransomware groups like Qilin? ♻️ Share this post to raise awareness and 🔔 follow Brent Gallo - CISSP for more updates on cybersecurity. #CyberSecurity #Ransomware #ITSecurity #CredentialTheft #DataProtection #NetworkSecurity #MFA #Resilience #CyberThreats

🔒 It took just 48 seconds to find 8 valid accounts. Today, a cybercriminal shared a screenshot of OpenBullet test 427 stolen credentials against Netflix. Within 48 seconds, 8 accounts were successfully accessed—a ~2% success rate. With 160,000 credentials left, that’s potentially 3,500 compromised accounts. While ransomware grabs headlines, account checking (credential stuffing) quietly poses a major threat to businesses—leading to account takeover, and infrastructure strain. 🔍 Attackers use: * Proxies, and infected routers to evade detection * High-speed automation to get as much as they can * Credential reuse across platforms 🛡️ Defensive strategies: * Velocity-based(volume) detection * Header and fingerprint profiling * Bot behavior analysis (browser behaviors) * Multi-stage login processes (exhaust their resources) * Client-side encryption * Reduced error messaging (stop sharing information to make their life easy). * Mandatory MFA (MFA doesn't fix account checking, but stop account take over) Understanding Application Workflows Is Critical in Defending Against These Attacks. I recall a time when our only defense was a next-gen IPS. Our WAF was ineffective, and we hosted our web portal internally. The result? A DDoS attack that overwhelmed both our edge and internal systems. Writing IPS rules felt like trying to stop a flood with a grain of sand. Implementing anti-bot technology helped reduce the DDoS impact, as it added a layer of filtering—even though it could still be bypassed. Ultimately, understanding our application workflow enabled me to develop a system capable of identifying accounts that had been compromised. Which help to protect our customers. Organizations must treat credential stuffing as a top-tier threat. It’s fast, scalable, often goes undetected, and it work. #CyberSecurity #AccountTakeover #CredentialStuffing #MFA #ThreatDetection #OpenBullet #CyberThreats #Infosec #FraudPrevention

Lawmakers in the United States are asking the Securities and Exchange Commission (SEC) questions about why the agency failed to follow best practices in #cybersecurity, after hack of the agency’s X (formerly Twitter) account on January 9. The SEC had not activated multi-factor authentication (MFA) on their X account, which left them vulnerable to attack. No cybersecurity protection works 100% of the time. But MFA is a strongly protective measure that guards against the impact of any one factor, such as a password, being exposed by a hack or other intrusion. Having one or two other factors, such as receiving a one-time-passcode via SMS, and/or using an authenticator app, and/or using a passkey system, can reduce the chances of an intrusion when a single factor is exposed. This is especially important for government agencies around the globe, all of which are potential targets of fraud. The same goes for utility companies, hospitals, political campaigns, and more. When these and other entities are disrupted, the potential impacts on millions of people — if not billions — could be destabilizing from an economic and/or public health perspective. These critical infrastructure entities, and social media platforms, among others, have a role to play in bolstering digital security. Here are our recommendations: 1. Organizations, including government agencies, should empower and encourage users to use MFA. It should be available and easily activated, or preferably enabled by default. Individuals, companies, media publications, and government agencies all need to use MFA. 2. Social media platforms should provide options that can deliver authentication no matter where a person is located, and that accommodate a variety of security policies in corporate and government entities. Adding barriers to MFA, or limiting authentication options, creates more vulnerabilities and leaves accounts open to be breached. Protecting sensitive media and social media accounts that can have geopolitical, economic, or societal impacts if compromised should be a top priority. Learn more on: 👉 Telesign’s verification solutions to protect customers at scale with multi-factor authentication https://lnkd.in/gAxksYHM 👉 Telesign’s primer on multi-factor authentication: https://lnkd.in/gfK_VGxZ