- 141% increase in compromised credentials detected in North America during Blueliv quarterly analysis
- Fewer compromised European and Asian credentials detected over same period (22% and 36% decreases respectively)
- LokiPWS malware family distribution continues to increase faster than Pony this quarter
09 October 2018 – Barcelona, Spain – Blueliv, a leading European enterprise-class cyberthreat intelligence company, today releases its latest quarterly credential theft analysis following the initial release of its report on The Credential Theft Ecosystem in June 2018. According to Blueliv’s credential detection data, compromised credentials retrieved from botnets geolocated to North America has risen by 141% quarter-over-quarter (March to May 2018 over June to August 2018). Meanwhile, Blueliv has observed that Europe and Russia saw a decrease of 22%, while compromised credentials geolocated to Asian countries dropped by 36%. These trends in cybercriminal success rates suggest that there have been some profitable campaigns in the North American region over the summer quarter.
However, despite an overall decrease in the European and Asian regions over the three months, some curious statistics emerged between the months of July and August. Month to month there was a steep drop in geolocated credentials detected from Europe and Russia (33% decrease), against a huge rise in Asia during the same period (77% increase). Blueliv observations suggest that a sizable botnet was taken down in Europe, while a campaign focusing on different countries in Asia was thriving.
Daniel Solís, CEO and founder Blueliv, said, “All it takes is a single good credential for a threat actor to gain access to an organization and cause havoc. We are observing a booming market for credential theft, and the latest statistics show that this sort of cybercrime is a truly global enterprise. By understanding the lifecycle of the compromised credential, CISOs seeking to protect their business and analysts looking for IOCs gain valuable information to shrink their attack surface.”
LokiPWS continues to thrive
The May report observed some interesting trends in malware families being used to harvest these credentials. Pony, KeyBase and LokiPWS (also known as Loki Bot) were consistently the most active but Pony has always been several lengths ahead of its malware counterparts in terms of popularity. In May, LokiPWS malware distribution had increased by more than 300% over past year. Now, LokiPWS samples have almost doubled again, with a 91% increase quarter over quarter.
Daniel Solís continued, “Our analysts have been following the development of a huge variety of malware families. Source code leaks of different versions of LokiPWS in recent years have probably influenced its increase in usage as a credential stealer, but this does not mean that we should discount the likes of Pony, Emotet, KeyBase and AZORult, which continue to be disturbingly effective around the world.”
LokiPWS can act as both a loader for other malware as well as a password and cryptowallet stealer. It is available from a variety of underground markets as a modular product, with prices ranging between $200-300, depending on the desired functionality.
The Credential Theft Ecosystem report covers in depth:
- Illicit tactics, techniques and procedures (TTPs) used by cybercriminals to gather credentials;
- Why credentials are targeted, how they’re used and their value in illegal marketplaces;
- Methods used to filter, extract and validate credentials;
- The ways criminals profit from credential theft and how various industries are affected.
This intelligence is part of an ongoing effort to share practical guidance, helping security teams of all sizes access relevant information, implement its value and improve their security posture. Socializing cybersecurity means encouraging parity and fighting cybercrime collaboratively and more effectively.