My password is blueSHOE3#.

Let’s just get that out of the way.

Now that you have my password, you can probably figure out my username for most sites. My work username is probably jheimerl. My Gmail might be jheimerl@gmail.com. My Facebook account is likely the same. Once you have my password for a given site, you can pretend to be me pretty easily.

You have the same access as me. You have access to my data, documents, spreadsheets, databases, email, and contact lists. If I have access to client data at work, you probably have access to that. Any actions I can take, you can now take. And, better yet, it looks like me, not like Yuri in Kiev or Jose in Rio de Janeiro.

If your access attempt is logged, my name will appear in that log. It will likely not look like hostile activity at all, just employee access – just ‘Jon doing his job’. If you can remain hidden while you investigate our network, that gives you much more time to find other access points or footholds.

Better yet, if I have administrative privileges, you don’t only have access, but you have power. Potentially, power to create other users. Potentially, power to install software. Potentially, power to download your remote access toolset and even more effectively operate as me from Ukraine or Brazil (or wherever…).

You might install a keyboard logger to see what other passwords or access details you can capture. You might install a network sniffer to monitor network activity or other tool kits which allow you to extend access and take control over other systems.

All because you know those 10 characters: ‘blueSHOE3#’.

How did you get my password?

Well, this time, because I told you. So, maybe you can make me tell you.

I have performed about 20 social engineering engagements – where I called a target in an attempt to discover sensitive information, like a password. While I was able to extract sensitive information every single time, I was only able to get a user’s password in about 16 of the engagements.

That’s an 80% success rate, and I’m not even that good at it. In an environment where users can be tricked into making wire transfers of millions of dollars because they get an email, tricking users into giving up passwords is even easier.

How else can you get my password? Maybe it was clicking on that .doc attachment for a DHL receipt. I didn’t think anything of the .monster domain, and I’m not sure what malware you used. Over the past three months, over 63% of all malware observed by monitoring services for NTT Ltd. clients included some form of password grabbing capability, which highlights how much focus attackers have on passwords.

Perhaps it was Emotet, given the resurgence NTT Ltd. has observed. In the past couple of months, there have been periods where Emotet was the single most detected malware in monitored client environments. As a matter of fact, Emotet accounted for 56% of all password grabbing malware in October, with Agenttesla making up an additional 25% – so 81% of all password grabbing malware was either Emotet or Agenttesla. This makes one of them a pretty good bet.

‘DHL Receipt’ or ‘DHL Express’

‘Revised Proforma Invoice’

‘Account update’

‘SCAN’

‘Wire Instructions’

‘PO’, ‘PO#’, or ‘Purchase Order’


Am I sure it was that DHL receipt? Not really. In October, about 25% of all malware was delivered via email and about 75% via browsing hostile sites. These numbers vary – and NTT Ltd. has historically observed as much as 78% of malware being delivered via email.

If it WAS an email, it could have been any number of emails. The table to the right shows some of the document names and subject lines from commonly observed phishing emails in October.

There is also a 75% chance I got that malware from bad browsing habits. Maybe I mistyped the address of a real site and stumbled onto a bad place. Maybe it was bad search results, a redirect, or I just went someplace I should not have gone. That’s a 75% chance I was compromised through your hostile website I may have visited.

Did you really GET my password?

In the scheme of things, it may be possible you just brute forced my password. Dictionary attacks, common passwords, or ‘guesses’ can easily be automated. In October, about 13% of brute force attacks targeted applications, and about 70% targeted user accounts hosted on operating systems. The remaining 17% mostly targeted specific devices and database accounts. Spread over any given year, brute force attacks tend to make up something on the order of 10% of all attacks globally. That’s not a huge number, but in the short term, or for specific industries, those numbers can often be significantly higher.

What industry I work in seems to matter. Manufacturing was the target of 34% of all brute force attacks during October. Technology and finance each accounted for about 10% of brute attacks. So right now, if I were in those industries I might worry more. That doesn’t mean other industries are immune – health care, education, and retail, as well as business and professional services, have all been highly targeted at one point or another this year.

Volumes can be problematic. Brute force attacks tend to (but don’t always) show high amounts of activity in a relatively short amount of time, so for a couple days or a week could account for 80 or 90% or more of hostile activity against a specific organization. September actually showed an 85% jump in brute force attacks from August volumes, before dropping back to more normal levels in October. Brute force attacks against SSH were the most common brute force attack through all of 2018.

Of course, there is a chance that I make lazy passwords. Maybe I include my dog’s name, or my favourite football team, or my hometown. If you are good with social media, maybe you can find helpful information on my Facebook or LinkedIn account. Maybe you were able to find enough ‘clues’ that it made my password easier to guess.

What can you do about it?

Passwords are reality. Passwords are a known means of helping to control access. They are commonly accepted as current standard practice, even though they have limitations.

The catch is that attackers know passwords help control access to a significant amount of the data and systems we use on a regular basis. That’s why attackers want those passwords. Realistically, the best things we can do are:

Reinforce passwords with strong authentication methods where and when possible.

When we use passwords, make sure we implement and maintain good password habits. That includes using good passwords, not reusing them, and changing them appropriately.

Supporting passwords and access control with other good security practices – layered security, segmented networks, enforced need-to-know, and strong auditing – as well as pretty much everything else in a good security program.

By the way, no passwords were harmed in the writing of this article.