What you need to know about Unauthorized Access
The unauthorized and improper use of other people’s online accounts is one of the most popular fraud methods on the Internet. Cybercriminals primarily hijack access to lucrative services such as banking apps or payment services that can be sold for profit on the darknet. In addition, the compromised accounts are also misused for further attacks, for example to carry out phishing attacks on the contacts of the victim via an e-mail service.
To obtain the account credentials, attackers take advantage of the convenience of many users. Even today, a majority of Internet users use weak passwords, which are then also used multiple times across a variety of different services.
Once such a password is known, for example as a result of a data breach, it is easy for cybercriminals to locate and compromise other accounts on the Internet with these access data.
Attackers rely on automated tools to take over online accounts. These enable cybercriminals to check millions of accounts for possible vulnerabilities in a very short time and take over weakly secured accounts. Those affected often only find out about the takeover of their accounts when it is too late and abusive actions are carried out via the services.
For attacks using credential stuffing, cybercriminals rely on known credentials leaked on the net via data breaches or hacks. These user/password combinations are collectively traded as address lists with millions of credentials on the Darknet. Hackers use botnets to automatically compare the validity of credentials on a large number of platforms simultaneously. Millions of user/password combinations can be tested within a matter of hours. Confirmed credentials for active accounts are sold by cybercriminals to the highest bidder on the Darknet, or the information is used for more extensive attacks.
Unlike credential stuffing, where cybercriminals use fully leaked login credentials in order to locate vulnerable accounts on a variety of internet services, with credential cracking, the credentials are not yet completely known. Attackers may only have a user name for a particular payment account, for example. But the password is unknown. To find it, online scammers use word and password lists that contain a huge number of the most common passwords. These lists are automatically processed by bots. Once one of the tested passwords works, attackers have full access to the affected account.
Cracking passwords by brute force has, for years, been part of the standard repertoire of cybercriminals. Such brute-force attacks require powerful computer systems and automated tools, which, when used together, enable the high-speed calculation of as many solutions as possible to then decrypt the sought-after account information. The success of brute force depends largely on the strength of the passwords used and whether any additional information on the accounts is already available. If, for example, specific parts of the password or the exact number of characters are already known, this significantly lowers the number of possible combinations, making an attack easier.