Who needs phishing when your login's already in the wild? Criminals used stolen credentials more frequently than email phishing to gain access into their victims' IT systems last year, marking the first time that compromised login details claimed the number two spot in Mandiant's list of most common initial infection vectors. "Credential stealers have been and are a major issue, but …
"Additionally, employees or contractors often disable [antivirus] on their personal devices so they can install unlicensed software."
Obviously my pirating days are too far behind me, but I don't recall having to disable my antivirus in order to install unlicensed software. In fact, due to the prevalence of malware-infected software on pirate sites, it was exactly the opposite, any warez you downloaded, you'd want to scan very, very thoroughly before installing. Is this referring to people being stupid enough to disable their antivirus in order to install *infected* unlicensed software, or something else?
Many big companies will lock down their PCs and only allow packages from the company portal to be downloaded and installed. This also helps with licencing.
The downside of this is you can get stuck with out of date versions, missing drivers and having to fight to get permission to install that vital (licenced) copy of software that you had on your old machine.
Pc's used to be locked down, no admin for users. mac's weren't managed back then and could install anything they wanted. Now the first user of a pc is an admin and to an extent can install anything they want, but features like antivirus are locked with group policies as are printer drivers, and macs are managed automatically though users are managed admins. Some things like upgrading a mac to the latest mac os are forbidden. Still, with the current versions of windows 10 hardware specific drivers and firmware are being updated, can be a problem. I have seen MS insist on installing a usb driver for a docking station that didn't work and recently saw a video on YouTube where the uefi had been overwritten by uefi designed for a different machine. computer wouldn't boot.
How often are these "stolen credentials" an email address and password pair? Email addresses are crap user IDs for anything other than the email service they were intended for. You wouldn't want a user giving away their password every time they communicate with someone so why let them give away their User ID?
Consider the fact that if your account name is your email address, in the event that you change broadband supplier, you need to change your account name, or somehow retain that email address.
Credentials that are also something else, such as emails addresses, or in the UK your National Insurance Number (NI number) can be a problem. One of my pension funds requires me to authenticate by telling them my NI number. Another prints it on the letters it sends me (at least one of which has been intercepted by villains).
I expect that once they have an email address and password pair, they will try that same password for every possible account that person might have that uses an email address as the account name.
And this is why I have several throwaway email accounts, used specifically on sites that don't need to know valuable accounts. And why those sites which allow me to use something other than an email get something other than an email, and I have been... creative... with some sites.
Note that El Reg wants an email. El Reg gets a throwaway email.
And this is why I have several throwaway email accounts, used specifically on sites that don't need to know valuable accounts.
An advantage of having your own domain and a managed email service is the ability to have <anything>@yourdomain.com
I always use an email address specific to whoever I'm dealing with bt@mydomain.com, npower@mydomain.com, etc. Very handy for verifying the source of emails, e.g. if I get an email addressed to bt@mydomain and it's for anything other than my phone/broadband service then I can assume it's from some miscreant who has obtained my details. Also a useful stick to beat suppliers with - they're the only ones who know about the existence of a given email address so if it gets into the wild I can point to them as the leaker of data.
It makes sense that a hacking crew would target the lowest hanging fruit with so many people re-using passwords for critical things. I have a bunch of stuff that uses the same passwords, but often a different user ID. None of that is financial in nature or critical to my businesses. My banking passwords are much more complicated as well as those for my online services and those credentials are unique to each service.
If you can find some exposed passwords along with a corresponding telephone number, you can pwn somebody a lot of the time if they're reusing their passwords.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2025
