The value of account credentials has increased in the cybercrime market since they are a common initial access vector. Consequently, your company’s entire network could be at risk from just one pair of compromised credentials.

Data breaches that happened between November 2021 and October 2022 were attributed to third parties in 83% of the cases, as stated in the 2023 Verizon Data Breach Investigation Report. Stolen credentials were involved in 49% of those breaches.

[FREE E-BOOK] The Definite Blueprint for Cybersecurity in Manufacturing

What methods do threat actors use to compromise credentials? Among the five most dangerous cybersecurity risks in 2023, social engineering ranks high. The most common technique for obtaining login credentials is phishing, which makes up a significant portion of social engineering efforts. This strategy works, and it doesn’t cost a fortune.

In the absence of a more pressing security issue, credential theft ought to rise to the level of top priority for every firm in light of the increasing sophistication and accessibility of social engineering and phishing approaches.

The evolution of phishing

Threat actors are expanding their phishing and social engineering tactics beyond email:

Nowadays, there are numerous stages to phishing campaigns that involve multiple channels of attack. Not only do threat actors utilize emails, but they also employ SMS and voicemail to lure victims to malicious websites. Then, they use a follow-up phone call to keep them in the loop.

Criminals are making a concerted effort to compromise mobile devices. The use of social engineering techniques to deceive consumers across many apps opens the door to credential compromise. At least one phishing attempt reached half of all endpoints in the first three months of 2022.

The role of AI has grown. Phishing content is being enhanced with AI to make it more convincing and to launch more widespread attacks. Personalized phishing messages can be crafted by AI using victim research data and then fine-tuned to appear more legitimate, leading to improved results.

PhaaS leads to compromised credentials.

The amount of effort required to start stealing credentials is still really low. As more and more threat actors use the phishing-as-a-service (PhaaS) model to contract out their specialized knowledge, phishing has evolved into a lucrative industry. Even complete IT security amateurs can purchase phishing kits on underground forums and use them to conduct their own attacks.

PhaaS functions similarly to legal SaaS companies. The kits may only be used with a valid license, and there are various subscription models to pick from.

Modern phishing techniques are used to attack Microsoft 365 subscriptions.

Cybercriminals Methods

W3LL’s BEC phishing network brought to light

The W3LL Store has been the underground marketplace for threat actor W3LL’s customized phishing kit, the W3LL Panel, for the last six years. To get around multi-factor authentication (MFA), W3LL developed a kit that is among the most sophisticated phishing tools available on the dark web.

Out of 56,000 targeted corporate Microsoft 365 business email accounts, at least 8,000 were successfully infiltrated between October 2022 and July 2023 using the program. W3LL offers a variety of assets for sale, including as email lists of victims, hacked email accounts, virtual private network (VPN) accounts, hijacked websites and services, and personalized phishing lures. The W3LL Store made an estimated half a million dollars in the past ten months.

An excellence phishing kit streamlines BEC

Since its release in November 2022, Greatness has experienced two surges in activity: one in December 2022 and another in March 2023. The W3LL Panel-like multi-factor authentication bypass capability is one of Greatness’s features, along with IP filtering and Telegram bot integration.

Phishing emails are the first point of contact, leading victims to fake Microsoft 365 login pages that already have their email addresses filled in. Greatness establishes a connection to Microsoft 365 and, upon the victim entering their password, prompts them to submit the MFA code on a phony page in order to circumvent the MFA. The malicious actor receives this code and sends it to the Telegram channel, where they can access the legitimate account. In order to set up and deploy the Greatness phishing kit, an API key is required.

The dark web where stolen passwords trade hands

A rise from 2020 saw over 24 billion credentials listed for sale on the Dark Web in 2022. The kind of account determines the fee for stolen credentials. As an illustration, a dozen donuts is around the going rate for stolen cloud credentials, whereas ING bank account logins can fetch $4,255.

Some organizations need verification or a membership fee before granting access to these underground forums. Some places, like the W3LL Store, need current members to recommend new ones before they can join.

The risks that end-users face when they use stolen credentials

Customers put themselves at greater danger of having their credentials stolen if they reuse passwords for several accounts. The fact that many people, if not most, reuse passwords for several online accounts and services (personal and professional) means that threat actors are willing to pay a premium for stolen credentials.

It is not always easy to stop the reuse of valid credentials that have been stolen from another account, regardless of how secure your organization’s security is.

Theft of credentials is sometimes done for financial benefit.

After gaining access to an account, criminals can use it to send malware, steal data, pose as the account owner, and carry out other forms of cybercrime. On the other hand, the criminals who take the credentials usually aren’t the ones who end up using them.

Approximately 95% of breaches are motivated by financial gain. In order to make a profit, criminals will sell the stolen credentials on underground forums. Other criminals will then use these credentials weeks or months later. For the foreseeable future, stolen credentials will continue to fuel underground markets. Tell me what your company is doing to protect user credentials.


Rhyno delivers a range of activities that combine to fully protect your infrastructure and data from cybercriminals, anywhere and everywhere, 24/7/365.


About Rhyno Cybersecurity Services

Rhyno Cybersecurity is a Canadian-based company focusing on 24/7 Managed Detection and Response, Penetration Testing, Enterprise Cloud, and Cybersecurity Solutions for small and midsize businesses.

Our products and services are robust, innovative, and cost-effective. Underpinned by our 24x7x365 Security Operations Centre (SOC), our experts ensure you have access to cybersecurity expertise when you need it the most.

This website uses cookies to improve your online experience. By continuing, we will assume that you are agreeing to our use of cookies. For more information, visit our Cookie Policy.

Privacy Preference Center