How Cybercriminals Conduct Credential Harvesting and How You Can Protect Yourself

Photograph of tweezers peeling a flexible circuit board off a circuit board.
Harvesting credentials?

Cybercriminals conduct credential harvesting for many reasons. They may be looking for your network’s location. They may also want to commit fraud. A 2017 Verizon report stated that over 80% of cybercrime was a result of stolen passwords! This trend of stealing credentials is on the rise.    

A lack of jobs for highly qualified IT literate personnel has led to an increase in attacks. Additionally, various technologies are allowing criminals to connect together and trade personal details. This means someone within your business can leak your data. Then, they’ll send it to malicious actors specializing in fraud or cyberattacks. This means the attackers are better hidden. The criminal’s operation will also be more streamlined.  

A bad actor can use many different tools to gain your credentials. In this article, we’ll delve into different attacks you’ll likely come across. I’ll also show you how you can protect your credentials from harvesting. First, let’s take a look at what credential harvesting is!

What Is Credential Harvesting?

Credential harvesting refers to any means that can help someone gain your login details. This can include anything from asking for user details to seeing them written down. 

But cybercriminals often target details stored in large companies’ databases. And this will maximize the criminals’ reward. Below, I’ll discuss 5 methods that cybercriminals use for credential harvesting.  

1. Social Engineering

Social engineering is one of the best ways to gain access to any data. It requires very little skill and no technical knowledge. Basically, social engineering relies on the reciprocation of trust. Even the cookie salesman at the store uses social engineering! They coerce you with a free cookie, and you feel the need to reciprocate and buy a box.

Clearly, social engineering for credential harvesting is much worse. The bad actor uses a relevant pain point to gain your confidence. They’ll claim to have a better solution for you than the traditional channels. Cybercriminals will also use time as a pressing factor. This will create a force that’ll push you to implement the bad actor’s request. 

In most cases, cybercriminals ask for your username and password directly after building trust. This can happen quickly or over time. But most importantly, social engineering should convince you of a valid reason to give away your credentials. 

Often, the user wants to solve a vexing problem. For instance, an administrator may ask for credentials to quickly fix a pressing issue. Social engineering usually happens in person, not over email. This reduces the risk of exposing a record of the fraudulent interaction.

2. Phishing

Photograph of a keylogger on a box.
Keyloggers can be very dangerous!

Phishing attacks are often email-based. A fraudulent email tricks users into providing their credentials on a link. But this link actually leads to a bad actor’s website. Alternatively, the user can click on a seemingly trustworthy link in a phishing email. But most times, the link begins downloading malware onto the user’s machine. 

Generally, this malware can relay your credentials to the cyber attacker through a remote web server. But the cyber attacker still needs to be careful even if their call-to-action works. In fact, their server location can be exposed. 

As a result, phishing servers are often located in countries that won’t take legal action against cybercriminals. In addition, the criminal bets that no one will come after them in their country of residence. And this is important because cybersecurity groups can easily find the phishing scammer’s identity. 

Prosecution is a legal black hole of paperwork and political agendas. The police can only wait until the cybercriminal sets foot in a country that allows prosecution. That said, the US has some extradition and information-gathering power for traffic going in or out of the US.    

3. Spear Phishing

Spear phishing is effectively the same as credential harvesting using a phishing attack. But in this case, the attack targets key personnel. These could be high-profile CEOs, directors, or newsworthy parties. Cybercriminals believe they could exploit these individuals using their image or reputation. This is the force the criminals exert on these individuals. In addition to high-profile users, administrators and users with high-level access to infrastructure should be wary of this attack.

4. Data Leaks

Data leaks are a big problem for companies. This is specifically the case if your company trusts third parties for data storage. Once your data is outside of your control, it’s no longer yours. You also don’t have a say in the third party’s security measures. Generally, onsite data storage is more secure. If a member of your team leaks your data, it’s easier to find who’s responsible for it. 

Greed is the motivator for this attack. Additionally, data leaks are easy to conduct for teams with access to your database. Some platforms try to encrypt your passwords to prevent this. In those cases, even admins don’t have access to this info. However, not all platforms do that. 

5. Malware

Cybercriminals can install a whole host of malware on your machine. They may even install it on the server side to collect data. In addition, attackers use contactless technology to get the user’s access card details and create clones. This can allow them to access different parts of the business on-premises. Most card systems don’t have any security. If not segmented properly, they can enable bad actors to access the internal network. Then, cybercriminals can create backdoors and fake user accounts.  

Cybercriminals often use injection attacks to add malware to user sessions and store it in flash memory. They may also install fake utility software or modified genuine software. This will help them keep persistent access to a system. Keyloggers with a web server relay are the most common form of malware for gaining credentials. Cybercriminals may also use a rubber ducky USB to install these on target machines. Alternatively, attackers may drop USBs in or around a business. Then, an unaware user will plug them in to see who they belong to. 

Bad actors also can use LAN turtles to give themselves access and install/retrieve keyloggers. If your Wi-Fi has weak security or uses outdated protocols, a cybercriminal can use a man-in-the-middle attack to install payloads.

Photoillustration of a laptop from the side with drawings of email icons flying into the screen.
Ever seen emails fly into your screen?

Certainly, these aren’t the only types of attacks possible. But the above should give you a good idea of what operations security (OPSEC) you need to focus on. 

What You Can Do to Protect Your Business

Below, you’ll find 5 methods to protect your business from different attack vectors:

  1. Train your users to identify the different credential harvesting methods. This will reduce their chances of them falling for the cybercriminals’ tricks. 
  2. Implement multi-factor authentication (MFA). Some of your users may have a lapse in judgment. If they give away their credentials, MFA will reduce the risk of cybercriminals using this info. 
  3. Switch mobile-based MFA with keyfobs. Cybercriminals can clone your mobile devices, and secure SMS won’t help if the attacker is nearby. Conversely, keyfobs have no wireless elements, so they’re impossible to replicate.
  4. Use IP and geo-filtering with your latest-generation firewall. You can block specific IP addresses and regions of the world you don’t conduct business with. Look for firewalls as a service (FWaaS) as they’re cheaper. They also protect occasional use devices that aren’t in the budget.
  5. Look for a router with a VPN. This will enable you to protect all wireless devices all the time with encryption. Any connection going through the router will have a VPN connection. This is useful if you forget to use a VPN or if your device automatically updates when you’re away from it.

Final Thoughts

To sum up, credential harvesting can take many different forms. Most people think that credential harvesting only happens through phishing. But this is incorrect. Attack vectors are diverse, and bad actors could be internal or external. Additionally, these attacks will continue to gain popularity, and the demand for your data will increase. As a result, you must always keep your guard up.

To protect your organization, raise your users’ awareness about phishing, social engineering, and malware. Where possible, implement MFA and ensure you use a keyfob if the company can afford it. Additionally, use a firewall as a service solution to protect cloud-based users. Finally, implement IP and geo-filtering to protect users from external threats. 

Do you have more questions about credential harvesting? Check out the FAQ and Resources sections below.


How can I protect my business from credential harvesting?

Train your users to identify phishing, social engineering, and malware. Ensure users don’t click the link on untrusted emails. Use a firewall as a service (FWaaS) solution to protect cloud-based users. Additionally, implement IP and geo-filtering. Implement multi-factor authentication (MFA) and use a keyfob to protect against phone cloning. 

Is credential harvesting conducted through phishing?

Often, yes. However, cybercriminals also can use other methods. For instance, they can reel you in with social engineering. They may even use exposed attack surfaces to add keyloggers to your devices. These attacks could include rubber duckies or USB drops onsite. Other cybercriminals also conduct man-in-the-middle (MIM) attacks on Wi-Fi and wireless scrapping of exposed security card systems. 

Can I use multi-factor authentication to protect against credential harvesting?

Multi-factor authentication (MFA) verifies the user’s identity. This doesn’t directly protect your credentials from theft, but it may prevent bad actors from using your info. If you use a mobile-based MFA, remember that attackers can clone or hack into your device. To this end, protect yourself with a keyfob solution

What is Spear Phishing and what makes it different from Phishing?

Spear phishing is a phishing attack directed at specific personnel within an organization. This attack is much more customized than regular phishing. For instance, cybercriminals may stalk and research their target. Then, they’ll use the information to steer away from organization-wide phishing campaigns. In fact, the attackers will create an email with a better-engineered link and a specific call to action. Conversely, phishing is often a generic attack with a much lower success rate.

Credential harvesting can happen through many attack methods. Often, cybercriminals install or inject malware into your machine’s memory. This allows them to gain your user credentials. In most cases, criminals also use a keylogger with the malware. The software will relay data to a bad actor’s server using a PHP or similar web command.  


TechGenix: Article on Different Types of Malware

Learn more about malware to help protect your business.

TechGenix: Article on Data Leaks

Discover how you can protect yourself from data leaks.

TechGenix: Article on Facebook Phishing

Find out how cybercriminals are stealing your Facebook credentials.

TechGenix: Article on Spear Phishing

Discover how cybercriminals hook you with spear phishing.

TechGenix: Article on Social Engineering

Learn about social engineering and how to protect your users.

About The Author

Leave a Comment

Your email address will not be published. Required fields are marked *

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

Scroll to Top