The scale of identity exposure has increased significantly, with over 90% of surveyed organizations reporting an identity-related breach within the last year. These attacks have long-lasting consequences – SpyCloud’s 2024 Identity Exposure Report found that the average digital identity appears in as many as nine breaches and is associated with 15 breach records.
The escalating threat to identities has forced organizations to adopt novel approaches and tools to bolster their cyber defenses, such as passkeys. However, despite these efforts, criminals are still managing to evade these protections through sophisticated, next-generation identity attacks. Information saved by browsers, like session cookies, API tokens, or form-fill data, enable criminals to exploit these attack methods and bypass traditional authentication protections to seize control of a user’s account.
To counter these evolving threats, organizations must not only broaden their understanding of what constitutes a digital identity but also adopt proactive measures to defend against emerging attack vectors.
What’s in an Identity?
A user’s digital identity is no longer limited to an email – or username – and password. With the ever-increasing amount of data we share online, criminals have access to an ever-increasing pool of personally identifiable information (PII) available for potential attacks.
SpyCloud found over 200 unique types of personally identifiable information (PII) on the darknet in 2023, including birthdates, credit cards, passport details and social security numbers. User identities have expanded to include hundreds of data types, like national ID’s, location information, social handles and more. Cybercriminals are leveraging the resulting datasets to dramatically increase the scope of their attack patterns.
By combining seemingly disparate data types, attackers can piece together information and perpetrate cybercrimes like identity theft, fraud, and next-generation account takeover. Our research suggests that over 74% of people exposed in breaches reused compromised passwords, increasing the likelihood that a lucky criminal strikes gold.
As our digital identities expand beyond legacy account-based credentials, our protections must shift to stay relevant to new trends.
“C is for cookie and cookie is for me.” – Cookie Monster
Criminals’ use of users’ session cookies to perpetrate sophisticated cyber attacks is another trend resulting from expanded digital identities. Over 20 billion cookie records were exposed on the darknet last year, with an average of more than 2,000 records stolen per malware-infected device. These cookies equip criminals with all the information they need to carry out attacks, like session hijacking, which is when criminals seize control of an existing online session using stolen cookies.
Often obtained via infostealer malware, attackers put these cookies into so-called “anti-detect” browsers, which allow them to bypass traditional authentication protections and mimic users, especially when combined with information like the victim’s IP address and other host information. These attacks provide threat actors with the same rights and permissions as the legitimate user, making them exceedingly difficult to detect.
Passkeys and multifactor authentication (MFA) don’t protect against these attacks—session hijacking bypasses the authentication process entirely. And even sophisticated methods of detecting anomalous behavior, like device fingerprinting, can be bypassed using criminal residential proxies and other cybercrime enablement services. With malware-driven attacks rising in popularity, organizations need to understand the threat malware poses and how to mitigate it.
Malware is Exposing Identities Like Never Before
Over 61% of data breaches in 2023 were malware-related. While information stealing malware is not a new concept, it has never before been as accessible and feature-rich as it is today.
Infostealer malware poses a considerable threat since it can exfiltrate large volumes of high-quality data in seconds. Typically sold as malware-as-a-service, or MaaS, these stealers are often bundled with services aimed at making the malware harder to detect by antivirus and other endpoint security solutions. This ability to bypass these solutions can leave little to no trace of the bad actor’s existence on a victim’s device, and few network-based indicators to pursue. SpyCloud found that in 2023 alone, the average digital identity had a 1 in 5 chance of already being a victim of an infostealer malware infection.
The sheer volume and diversity of infostealer families active on the darknet further exacerbate the threat. More than 52 infostealer families were active on the darknet in 2023, with four entirely new families discovered in the last quarter of the year.
That said, it’s not just the scale of these attacks that poses a risk to users; it’s also the nature of the targeted data. In the current cyber landscape, safeguarding against increasingly sophisticated identity threats requires a new approach.
Next-generation protections
Current malware remediation strategies focus on addressing malware-compromised devices but neglect valuable identity data like session cookies and other PII already exposed on the darknet. If not remediated, criminals will sell or trade this data on the darknet to facilitate additional cybercrimes long after devices have been wiped.
Organizations need a robust post-infection remediation strategy that addresses and accounts for data stolen in an attack. By proactively monitoring the darknet for compromised data, organizations can get a more holistic look at their attack surface. Security teams can then force users to reset exposed data, such as session cookies, and cut off criminals’ entry points before they can cause harm.
IT teams must prioritize solutions offering heightened visibility that tackle security vulnerabilities stemming from malware. By shifting from a device-centric to identity-centric malware remediation strategy, security teams can proactively mitigate the risks of infostealer malware, preserving brand reputation and companies’ bottom line.
About the Author
Trevor is the Vice President of SpyCloud Labs. Trevor served nine years in the U.S. Army and has an extensive background in federal law enforcement, tracking threat actors for both the DoD and FBI. He is a member of the Joint Ransomware Task Force and serves in an advisory capacity for multiple cybersecurity-focused non-profits. He has spoken at numerous US and international cyber conferences, holds multiple federal and industry certifications in the field of cybersecurity, and is a recipient of the President’s Volunteer Service Award for volunteer service aimed at countering cyber threats.
Trevor can be reached online at SpyCloud’s website https://spycloud.com/