The prevalence of user IDs and passwords in everyday life is unavoidable – from email to banking to online retailers – on all sorts of connected devices.

Despite the availability of advanced capabilities like biometrics and multi-factor authentication, credentials aren’t going away anytime soon, neither will the threat associated with credential theft, as information gleaned is entirely too valuable and oftentimes too easily acquired.

Attacks targeting credentials are used equally by many threat actors – from state-sponsored advanced persistent threat (APT) groups to cyber criminals – most often via phishing campaigns. And for good reason: credential theft and reuse enable persistent access within the target environment and may appear as legitimate activity.  

Since access may be accomplished with valid credentials, it is less likely activity using these credentials will trigger an alert in a network environment, further allowing threat actors to have access to potentially sensitive data.

Given this significant threat, NTT Security selected credential theft as one of our highlighted Security Challenges for this year’s Global Threat Intelligence Report (GTIR), focusing not only on the threat itself, but looking further into the process, as well as which threat actors have been actively using various techniques in their efforts to collect credentials – and the purposes for which these stolen credentials are used.  

One observation which continued to be common during 2018 was the use of hybrid attacks. Attackers employed multi-vector attacks which include social engineering, phishing, stolen credentials, and other techniques. These can work conjunctively or perform different functions on separate parts of a network, as discussed further in the GTIR.

Credential theft is often associated with cyber criminals obtaining login credentials for banking sites – supporting the theft of account and other financial details. Our visibility identified 45% of the accounts targeted in credential theft attacks during 2018 were Microsoft O365 account credentials, followed by Google accounts, and the first financial-relevant credentials (PayPal) as the third most targeted.

Although we often associate the use of stolen credentials with direct access to resources, there are many other ways attackers can benefit from their use. Motivations vary widely as well, but NTT Security researchers categorize them, generally, three ways: access, influence and profit – described further in this year’s GTIR.

Of note during 2018, NTT Security observed a 200% increase in credential theft attacks against healthcare organizations, especially in the Americas region.

This could be due to the significant amount of personally identifiable information available in the networks of healthcare organizations, as well as mounting number of IoT devices in the industry. These provide additional avenues into a network and are often overlooked from a security standpoint.

No industry is immune, of course, though some are consistently targeted more heavily than others from year to year; this Security Challenge delves into ways certain industries can help mitigate these types of attacks – in addition to WHY they might be attacked. This Security Challenge considers a diverse list of sectors which attackers targeted for a combination of data and access.

Malicious actors combining credential theft with other types of attacks – multi-vector attacks, for instance –  increased, leading to a greater range of attack capabilities, financial gain, and persistent access to targeted systems and the parent network. Phishing attacks and malware were both highly used. In most cases, the techniques supported each other directly. 

Although malware-related attacks accounted for just 33% of overall attacks, threat actors employed keyloggers, providing additional functionality to the threat actor – and a potentially greater impact to an organization. NTT Security analysts explain the use of malware attacks in further detail in this year’s GTIR – including the fact that over 95% of all malspam related to credential theft targeted the vulnerabilities in either a Microsoft Office application or a Microsoft operating system. 

But, regardless of the method or motive, NTT Security researchers noted the most effective credential stealers were equipped with additional capabilities to ensure they spread easily, were difficult to detect, and were hard to remove.

And, as with targeted industries, targeted and source countries remained flat; NTT Security detected malspam related to credential theft from 94 countries across all regions. 

As further detailed in the GTIR, attackers continue to refine their attack patterns and intrusion sets and develop new tools. More importantly, attackers often rely on timeless and effective methods such as social engineering, deploying keyloggers, and phishing attacks

Credential theft will remain a challenge – and NTT Security, as a global organization, is looking at past and current challenges to improve the future. 

To obtain a copy of the report visit,