Cybercriminals use many different hacking and brute force techniques to compromise users and organizations. Most security incidents share one common thread—nearly half of all successful attacks involve the use of stolen or compromised credentials. But how are credentials stolen? Two main techniques—credential harvesting and credential stuffing—although they sound similar and are sometimes used interchangeably, have nuanced differences, particularly in how credentials are stolen or acquired and then utilized. Let’s understand these differences and learn how to best apply mitigations.

What is Credential Harvesting?

As the name implies, credential harvesting is a malicious technique used to acquire username and password combinations, typically in the following ways:

1. Phishing: Threat actors use several deceptive practices, such as impersonating trusted individuals or organizations and then manipulating the victim to click on a link or enter their credentials on a cloned website or bogus login page.

2. Malware: Threat actors deploy malware using different methods, for example, by physically installing a malicious USB stick or by convincing the victim (via phishing) to download a malicious attachment or application. One nefarious example is keyloggers, which record user keystrokes in real-time, or infostealers that search hard drives, browsers or cached files to illicitly collect stored credentials.

3. Man-in-the-Middle Attacks: Defines a threat actor intercepting communications between two or more parties sharing information. An example is a mock Wi-Fi hotspot, say at an airport. When users log in to these fraud networks, they unknowingly share their credentials.

How Are Harvested Credentials Utilized?

Depending on the goals of the attacker, harvested credentials are operationalized in several ways:

1. Account Takeover: Attackers use harvested credentials to gain unauthorized access to accounts for the purposes of encrypting files or exfiltrating data, seeding ransomware for financial gain or disrupting systems.

2. Phishing Campaigns: Threat actors use compromised credentials to launch targeted attacks like business email compromise or a ransomware attack. 

3. Black Market Sale: Initial access brokers (IABs) are known to sell credentials and access methods to other cybercriminals in underground markets. Billions of credentials are being sold on the Dark Web.

What is Credential Stuffing?

Credential stuffing is a method where threat actors cast a wider net instead of targeting specific people or organizations. Rather than phishing and hacking specific users and platforms, actors target databases that hold millions, if not billions, of credentials or simply purchase credentials in bulk on dark web marketplaces. Next, attackers deploy automated bots to apply thousands of credentials on login forms and websites at once. Because 84% of people reuse old passwords, it’s likely that an acquired credential for one application or website will work for others.

Credential stuffing attacks are usually favored by adversaries looking for unauthorized access on a large scale to either steal funds or intellectual property, disrupt a business or government entity, hijack online services, or to launch further attacks based on compromised accounts.

Differences Between Credential Harvesting and Stuffing

1. Focus: Harvesting targets new credentials; stuffing exploits existing ones.
2. Method: Harvesting involves guessing or cracking usernames and passwords, while in stuffing, acquired credentials are tested for their validity.
3. Targets: Harvesting can be both targeted as well as widespread; stuffing is primarily widespread.
4. Automation: Harvesting is usually manual, while stuffing relies on automated tools.
5. Outcomes: Harvesting leads to credential sales, while stuffing relies on sold credentials for direct account takeover.

How Can Organizations Mitigate Credential Compromises?

Organizations must focus on plugging all loopholes that are credential-related. Here are security best practices that can help:

1. Ask Employees To Use Complex and Unique Passwords: Most credentials are hacked or stolen because employees are not careful with their usernames and passwords. Believe it or not, passwords like “123456”, “admin” and “password” are still being used. Seven-character passwords can be cracked in four seconds. Employees too often reuse passwords and frequently share credentials with colleagues at work. It’s important to clamp down on these practices through security awareness programs and make it mandatory for employees to use password managers.

2. Use Phishing Simulations To Train Workers: One of the most common ways attackers steal credentials is by targeting employees through deceptive emails and messages, malicious links and phony login pages. Use phishing simulation programs to train employees on identifying phishing attempts on sight while creating awareness of the many methods hackers use to steal credentials.

3. Deploy Phishing-Resistant MFA: Multi-factor authentication is a powerful tool to prevent attackers from infiltrating organizations even when they have acquired user credentials. But traditional MFA can be susceptible to phishing. CISA recommends organizations use phishing-resistant MFA.

4. Monitor Data Breaches Proactively: Organizations must monitor websites like haveibeenpwned.com to verify if employee credentials have appeared somewhere in a data leak. If resources permit, it might make sense to monitor Dark Web forums for leaked credentials.

Credentials are the foundation of security. If credentials are leaked or stolen, the keys to your kingdom are gone. User education is crucial because most cyber incidents result from one person not following security due diligence.