Rise of the Identity Deception Attacks

In our most recent blog posts we’ve focussed on email fraud attacks and data breaches, and a common theme throughout has been the rise of identity deception attacks. In this post we look at the most common types of identity deception attacks your organisation needs to be aware of and how strengthening your identity and access management (IAM) can help to combat them.

In a recent study completed by security professionals, these were their top identity-related concerns1;

  • 59% expansion of the user base to include non-employees
  • 43% inconvenient authentication controls ignored/subverted
  • 33% of IAM policies
  • 29% Reuse of the same passwords
  • 24% stolen credentials

Attackers are aware of this too, and are utilising techniques that exploit these concerns;

1. Credential stuffing

A form of brute force attack that exploits the fact users can find it difficult to create unique passwords across various accounts or have “password fatigue”. Many individuals have had their account credentials compromised as part of a data breach (most recent including LinkedIn, Facebook). These attacks are completed at scale by bots, giving a higher chance of your organisation falling victim to them.
Attackers will acquire credentials from a breach or password dump site, automated tools will then test these credentials across various sites. After the attacker has gained access they will then harvest data or execute the next stage of their attack.

2. Password spraying

Another form of brute force attack that relies on users using common and easy to predict passwords such as “password1”, which has appeared in data breaches over 2.3 million times2. Attackers will have a list of predictable passwords that match the complexity policy of the platform and then use the passwords across many different user accounts to help avoid being detected.

3. Man-in-the-middle attacks

Man-in-the-Middle work by intercepting network connections, often by utilising tools to imitate a legitimate wifi point (e.g. a McDonalds or Starbucks Wifi). Once they have an individual using this Wifi connection they will attempt to extract credentials by tricking the user into submitting their details through a malicious certificate, which is able to monitor all the user’s inputs.

4. Broad-based phishing campaigns

A favourite amongst cybercriminals due to its low cost and ease of deployment. With even the simplest of social engineering and a list of email addresses, a phishing attack can successfully compromise 1 out of 20 employees2.
These phishing attacks are broadly distributed and cybercriminals will wait to see which credentials are collected, using this stolen information to gain access to data or other logins to more high-value information.

5. Spear phishing campaigns

A targeted phishing attack on a high-value individual of an organisation. This requires a bit more research from the attacker to personalise the attack, but if successful the ROI can be much greater. Once an attacker has tricked a high-value target into giving their credentials they can sit within that individual’s environment for months, going unnoticed and gaining intel into their normal behaviour.
Specifically, there has been a rise in attackers impersonating Microsoft (70% of brand impersonation attacks3), in the form of password reset emails, gaining access to individual’s Outlook accounts. Once access has been gained to an email account, cybercriminals are able to leverage this to reset passwords to other portals that give access to business-critical information and possibly execute the next stage of their attack.

Preventing identity attacks

One way an organisation can prevent these kinds of identity deception attacks is to implement Multi-Factor Authentication (MFA) across applications. By requiring a second factor to access platforms that hold sensitive data, such as authenticator apps or linking a user’s login to their mobile means that even if an attacker has their credentials they will not be able to authenticate. This also stops cybercriminals from utilising credential stuffing or password spraying techniques, as stolen or weak credentials will not be successful on their own. Utilising a MFA solution that allows your organisation to implement strict MFA policies across your applications is also advised.

Organisation’s should also consider deploying a Single Sign-On (SSO) solution. SSO allows you to centralise identity and access control by;

  • Reliably integrate all your web and mobile application logins
  • Unify access for users to eliminate passwords and simplify access
  • Creating a secure directory of users
  • Gain access to real-time security reporting, with geolocation tracking by integrating with your SIEM.

To find out more about how InfoTrust can help strengthen your organisation’s identity access management contact us today on +61 2 9221 5555 or info@infotrust.com.au.


1 Okta’s Using IAM in the Age of Megabreaches
2 Okta’s 5 identity attacks that exploit your broken authentication blog
3 Agari’s Email Fraud and Identity Deception Trends Report Q1 2019

see our

Related resources