- Identity-based attacks have been growing since 2023
- Crooks are using cheap malware and PhaaS platforms in attacks
- Login credentials are used in BEC campaigns
Hackers are increasingly going after employee login credentials, helped by advanced tools that are both cheap and easy to obtain, experts have warned.
This is the sentiment echoed in a new report from eSentire, which found so-called “identity-based attacks” have surged by more than twofold (156%) since 2023.
In the first quarter of 2025 alone, this type of attack accounted for more than half (59%) of all confirmed cyber-incidents.
Business email compromise
eSentire singled out two things that made the surge in identity-based attacks possible: Phishing-as-a-Service (PhaaS) platforms such as Tycoon 2FA, and cheap, readily-available infostealing malware.
Tycoon 2FA works as an Adversary-in-the-Middle (AiTM) tool, intercepting login credentials and session cookies in real time, for tools such as Microsoft 365, or Gmail.
Furthermore, with its own proprietary CAPTCHA algorithms, it can evade automated scanners, and with obfuscated JavaScript, invisible Unicode characters, and fingerprinting, it has gotten pretty good at evading detection. It costs up to $300 a month, which makes it a rather attractive addition to any threat actor’s tech stack.
Those that can’t afford it (or simply don’t want to) can go for an even cheaper option – infostealing malware that costs no more than $100, and can often be found for as low as $10. These tools extract credentials from browsers, password managers, and VPN configurations.
Crooks would use the obtained data to run Business Email Compromise (BEC) attacks. They would either break into executives’ emails, or impersonate high-ranking corporate officers, sending other employees emails that trick them into wiring money, or sharing sensitive files that are later used in extortion campaigns.
eSentire recommends organizations adopt phishing-resistant MFA solutions (for example, biometrics, or hardware-based tokens), conduct continuous identity monitoring and real-time threat detection using AI-driven platforms, prioritize employee training, and implement “proactive vulnerability management” and patching protocols.
Via The Register
Leave a comment