on October 10, 2018

North American credential theft industry records substantial quarterly increase, against declines in Europe and Asia

  • 141% increase in compromised credentials detected in North America during Blueliv quarterly analysis

  • Fewer compromised European and Asian credentials detected over same period (22% and 36% decreases respectively)

  • LokiPWS malware family distribution continues to increase faster than Pony this quarter

Our latest quarterly credential theft analysis follows the initial release of our report on The Credential Theft Ecosystem earlier this year. According to our credential detection data, compromised credentials retrieved from botnets geolocated to North America has risen by 141% quarter-over-quarter (March to May 2018 over June to August 2018).

Meanwhile, we observed that Europe and Russia saw a decrease of 22%, while compromised credentials geolocated to Asian countries dropped by 36%. These trends in cybercriminal success rates suggest that there have been some profitable campaigns in the North American region over the summer quarter.

However, despite an overall decrease in the European and Asian regions over the three months, some curious statistics emerged between the months of July and August. Month to month there was a steep drop in geolocated credentials detected from Europe and Russia (33% decrease), against a huge rise in Asia during the same period (77% increase). Blueliv observations suggest that a sizeable botnet was taken down in Europe, while a campaign focusing on different countries in Asia was thriving.

LokiPWS continues to thrive

The May report observed some interesting trends in malware families being used to harvest these credentials. Pony, KeyBase and LokiPWS (also known as Loki Bot) were consistently the most active but Pony has always been several lengths ahead of its malware counterparts in terms of popularity. In May, LokiPWS malware distribution had increased by more than 300% over past year. Now, LokiPWS samples have almost doubled again, with a 91% increase quarter over quarter.

Our analysts have been following the development of a huge variety of malware families. Source code leaks of different versions of LokiPWS in recent years have probably influenced its increase in usage as a credential stealer, but this does not mean that we should discount the likes of Pony, Emotet, KeyBase and AZORult, which continue to be disturbingly effective around the world.

LokiPWS can act as both a loader for other malware as well as a password and cryptowallet stealer. It is available from a variety of underground markets as a modular product, with prices ranging between $200-300, depending on the desired functionality.

The Credential Theft Ecosystem report covers in depth:

  • Illicit tactics, techniques and procedures (TTPs) used by cybercriminals to gather credentials;
  • Why credentials are targeted, how they’re used and their value in illegal marketplaces;
  • Methods used to filter, extract and validate credentials;
  • The ways criminals profit from credential theft and how various industries are affected.


Demo Free Trial Community