It is too easy to find enterprise logins on the Dark Web

Anomali Labs analyzed attacks against the reputation of FTSE 100 companies highlighting the availability in the Dark Web of employees data.

Anomali Labs analyzed attacks against the reputation of FTSE 100  companies highlighting the availability in the Dark Web of employees’ data.

Brand spoofing is an illegal practice that causes several damages to companies worldwide, crooks use to clone legitimate websites in the attempt to trick users into supplying confidential data.

The Anomali Labs security firm published a report titled “The FTSE 100: Targeted Brand Attacks and Mass Credential Exposures” that analyzes the cyber attacks on the companies’ brand focusing on FTSE 100 firms.

“The focus of this report is to look at the Financial Times Stock Exchange 100 (FTSE 100 Index) to identify suspicious domain registrations and potentially compromised accounts that could be used as part of an attack. ” states the report.

The study revealed that 81 companies in the FTSE 100 had potentially malicious domain registrations against them in the past three months, meanwhile, the total number of registered malicious domain names detected is 527, this means that each company had an average of five domains per company.

The sectors most impacted by such kind of illegal practice are Financial Services (376 malicious domain registrations), Retail (175) and Critical Infrastructure (75).

Analyzing the suspicious domain registrations per Country the experts noticed that most of were registered using a Chinese address, followed by the US, and Panama.

Threat actors in the wild use bogus domain as part of fraud scheme that leverage on social engineering to trick victims into entering their personal information or visit domains hosting exploit kit that serve malware.

The data gathered with this technique are usually sold in the underground or used in further attacks against the companies.

“Mass compromised credential exposures are becoming a major problem. This often occurs when websites are compromised and collected usernames and passwords are stolen and either published or sold.” continues the report. “It is a problem because the vast majority of users reuse passwords across many sites, and many companies still do not have universal adoption of multi-factor authentication. There are a lot of employees that use their work email and password on sites outside of their work. Many of the sites they go to off-hours were likely compromised in a way that allowed the credentials to end up on the dark web.”

Experts from the Anomali firm have found 5,275 employee email and clear text password combinations from FTSE 100 companies available on the Dark Web, on crime forums, on paste sites, or posted through accidental exposure

The data is alarming is we consider that average of 50 employees for each FTSE 100 company have had their credentials exposed online.

“The list includes not only included companies with headquarters in the UK, but also any global subsidiary of those companies.” states the report. “The Oil and Gas vertical accounted for nearly 20% with 1,090 accounts”

Experts pointed out the bad habit of employees for visiting non-work-related sites that have then been hacked. This is the case of a major UK-based football website that suffered a data breach in April and its data was leaked on the Dark web.

Anomali estimated that 40 corporate credentials across 23 companies were exposed in this security breach.

“Employees need to be reminded of the dangers of surfing to these types of websites and logging in using corporate email addresses and passwords.  Companies should monitor for compromised employee credentials so they can force reset accounts and gather metrics about how often employees are using their work email addresses for access to non-work related websites,” states Anomali.

[adrotate banner=”9″]

Pierluigi Paganini

(Security Affairs – Dark Web, Brand Spoofing)