Cyber Security

Password Spraying: Hackers’ New Reverse-Tactic To Target Accounts

The hackers are well known for using Brute Force Attack techniques to hijack accounts and conduct identity theft and information abuse, as well as stealing finances from integrated bank accounts. It’s hard to imagine but these hackers use hundreds and thousands of password combinations to get to the right one and infiltrate the targeted account for identity theft. However, the cyber attackers have now come upon a new tactic to target accounts and breach data security at both enterprise and personal levels. What is this technique and what dangers it poses to data security and identity protection online? Read ahead to find out.

Must Read: Data Protection Tips For Users & Businesses

Password Spraying: Reversing Brute Force

Image Source: Redmond Mag

Password Spraying is an attack-type, where intruders or hackers try a single combination of the password over multiple logins and usernames. This is done to ensure that at least one of the targeted usernames is intruded and that user’s information is stolen for further misconduct.

How Password Spraying Is Different Than Brute Force?

Image Source: ThreatPost

In Brute Force, the attackers try multiple numbers of password combinations over a username to breach that account for identity theft or online robbery. However, now, the systems have been designed to initiate a lockdown if the login attempts are made with wrong passwords over a limited number of instances. This makes sure that hackers don’t get past the security and stray them away from targeting any account.

But, here the entire process is reversed. The attackers now get details of multiple usernames via phishing attacks or via scrutinizing social profiles. Then they take a highly common password combination and then run it on all the procured usernames in a hope that they would get past any one of them at least.

How Does Password Spraying Attack is Carried Out?

Image Source: Kaspersky Lab
  • Firstly, attackers use phishing or social engineering to procure as many usernames they can. In phishing, attackers try to gather user data by luring them to some malvertising trick. In social engineering, hackers go through company websites, social media platforms like LinkedIn and Twitter, and other portfolio publications.
Image Source: Luxemburger Wort
  • The password combination is decided over basic human tendencies, who use number combinations like “12345” and common special characters like “underscore(_)” and “at the rate(@)” in their passwords.
Image Source: WTSCI
  • Then that combination is tried over all the usernames. It is highly possible that at least one of them would fall prey to this tactic and would be robbed of information and personal details for misuse and illicit practices by hackers.

A Real Threat To Enterprises

Image Source: Digital Forensics Group

Password Spraying is more dangerous when it comes to enterprises in comparison to individual accounts. In almost every medium-to-large scale enterprise, the email ids and usernames are under the domain of the enterprise’s name. For example, at Google, all employees would be having an email ID followed by @google.com. The usernames combinations are__ also quite common, for example, first_name.last_name@google.com.

Image Source: VooServers

In such a scenario, the hackers would probably try a password combination that would include a number series and the enterprise’s name. If even one of the accounts is hacked in, the hackers can get to other’s information by accessing private emails and shared data files. This would not only cost the enterprise the information of their employees but also their confidential files and contractual communication details. Now, these details can harm the enterprise at strong financial levels, as well as can hamper its image in the market.

Is Password Spraying a Success for Hackers?

Image: TechHQ

Recently, Citrix Inc., an American cloud computing and networking service provider company was attacked by hijackers using password spraying technique. Though Citrix early detection and the intervention of Federal Bureau of Investigation (FBI) in the case saved it from major information losses, it led FBI to launch special investigation over this issue and release warning statements to all business enterprises in the United States. Even CERT released a report on the abilities of password spraying methods used by hackers. It has also been reported by FBI, that 36 enterprises across Europe and the United States have been faced data breach attempts via password spraying tactic.

Therefore, it’s pretty obvious that the technique is viable for hackers and there’s a need to acknowledge its threatening potentials.

How can Password Spraying be Detected?

Image Source: The Collective

As per the instructions from CERT, the following measures can be initially helpful in preventing data breach via password spraying:

  • Use multi-factor authentication measures to add a layer of an additional firewall between hackers and your accounts.
  • Use complex passwords and make sure the IT teams of enterprises review password-setting policies to prevent any instance of password spraying.
  • Keep switching passwords on regular intervals. Even changing minute details would help in preventing password spraying breaches.
  • Avoid remote access to enterprise accounts. Make sure that there is only a limited number of account portals accessible remotely.

Also Read: Alarming Cyber Security Facts and Stats

Password Spraying is a slower technique in comparison to Brute Force and for hackers, it leaves lesser chances of any data breach. However, with multiple organizations targeted via Password Spraying, hackers may develop tactics to improve its abilities, and hence, it would be better if this is dealt with in its early stages itself. 

Leave a comment