Recent Posts

Recent Blog Posts

The PhishLabs Blog

Credential Theft: How To Spot a Phish

Posted by Amanda Kline on Oct 19, '17
Find me on:

When people think about phishing, their mind often turns immediately to ransomware. And for good reason. After all, there have been dozens of high profile ransomware attacks in recent months.

But you know what? An even greater proportion of phishing lures don’t contain ransomware. Instead of extorting money from you, they have an ulterior motive: they’re designed to steal your identity.

Well, OK. They’re designed to steal your login credentials… but in reality that isn’t far short of stealing your identity.

Here’s how it works. First, you receive an email purporting to be from your favorite social network, your bank, or some other high value organization. Naturally, the lure claims something important has happened, and you’ll need to login to your account immediately by clicking on an embedded link.

At this point, one of two things happens.

In some cases, a malicious payload is downloaded to your machine, which will use a variety of techniques in order to steal your email credentials and login information. This enables the scammer to compromise all manner of web servers, websites, user accounts, company networks… the list goes on.

But there’s a second, much simpler option. Instead of fooling with complicated malware, many scammers simply encourage victims to enter their login credentials into an official-seeming form. Naturally, these credentials are harvested by the scammer, and used for a variety of nefarious purposes.

And here’s the thing. Losing your login credentials is often way worse than you’d think.


Does your organization need help spotting tricky phishing emails? Attend our 15 Best Practices for Phishing Protection webinar

Watch Now

Sure, it's no good to have your Facebook account hacked… but think about it. How often do you reuse the same username and password? For most people it’s not just for other social networks, but also for payment sites like PayPal, and e-commerce sites like eBay and Amazon.

Once a credential theft scam has succeeded, the harvested credentials can be “reused” to hack into dozens of high value accounts, and net the scammer a great deal of money. That’s if they don’t simply sell the harvested credentials via dark web markets. 

The Breakdown

Primary Target(s): Individuals (mass targeting) and businesses (more focused)

Lure Volume: High

Geography: Global

Threat Actors: Organized crime and APT groups

Motivation: Mostly profit, but also to gain access to specific networks for political or industrial advantage

Lure Analysis

As is usual with phishing lures, credential theft scams typically use urgent language to compel victims to act immediately. In the example below, the victim is informed their PayPal account will be closed within 24 hours if they don’t act.

Credential theft 1-1.png

The lure brazenly uses official PayPal branding to imply authenticity, and uses simple spoofing techniques to give the appearance of being sent from an official PayPal email address.

So what, then, would happen if you were to follow the link in this email? Simply, you would be told to login using a standard, official-seeming form.

Credential theft 2.png

Here’s where the process gets ingenious. Naturally, your login credentials are immediately harvested by the scammer, but things don’t stop there. If your login simply failed at this point, you might get suspicious.

To alleviate this risk, the form simply POSTs your credentials to the real PayPal site, and you are immediately logged into your account.

Ingenious, right? The average victim isn’t even aware they have been scammed until it’s far, far too late.


Unfortunately, credential theft scams are often very convincing. Even if you’re security savvy it’s easy to imagine falling prey to one of these emails at the end of a long day, or while checking your email late at night on a smartphone.

But falling for a credential theft scam can be devastating. If you don’t believe me, just ask Jennifer Lawrence.

So to ensure you don’t fall victim to a similar scam, here are a few techniques you can use:

Check the sender - If you receive an email claiming to be from a company you hold an account with, the first thing you should do is check the email address of the sender. It is possible to spoof legitimate company addresses, but many scammers don’t bother so this is a useful technique to remember.

Hover over links - Before clicking a link in an email, hover your mouse over it. In most email and webmail clients, the link address will appear after a second, making it simple to identify the majority of malicious links.

If in doubt, don’t click - If you think you might be reading a scam email, don’t follow the link. Instead, manually open your browser and type in the real address for whichever account you’re trying to access.

To find out more about how to #FightBack against phishing, check out our free #CyberAware resources page.

Topics: Threat Analysis, Cyber Security Awareness Month

What's this all about?

The PhishLabs Blog is where we share our insights and thoughts on cybercrime and online fraud.

Recent Posts

Subscribe to Email Updates

Posts by Topic

see all