Combo Lists & the Dark Web: Understanding Leaked Credentials

Gradient blue background. There is a light orange oval with the white text "BLOG" inside of it. Below it there's white text: "Combo Lists & the Dark Web: Understanding Leaked Credentials." There is white text underneath that which says "Learn More" with a light orange arrow pointing down.

In today’s interconnected, cloud-based world, user credentials are the keys that grant entry to the house that stores an organization’s digital treasure. Just as burglars pick the lock on a physical house, cybercriminals use stolen credentials to gain unauthorized access to a company’s systems and networks. Similarly, cybercriminals can purchase high volumes of stolen credentials on the dark web just like thieves can buy lockpicking tools. 

By purchasing combo lists on the dark web, malicious actors can buy all the leaked credentials necessary to perpetrate their attacks. 

What Is A Password Combo List?

A combo list is a collection of compromised usernames and their associated passwords that malicious actors use to populate their automated brute-forcing tools. As with any large dataset, combo lists have more value when they aggregate more credentials, typically incorporating data from multiple breaches. They lack a standardized format, often including both hashed and cleartext formats, and may be organized by geographic region, industry, or top-level domain.

When determining a combo list’s value, attackers focus on:

  • What service the credentials are tied to
  • How recently the credentials were stolen
  • How many breaches are combined into a single package/list

How Do Threat Actors Use Combo Lists?

Since attackers treat cybercrime as a business, they want to optimize their financial investment in combo lists by using them in different ways. 

Credential-Based Attacks

With combo lists, attackers can automate credential-based attack methods like:

  • Brute forcing
  • Password spraying
  • Credential stuffing
  • Account takeover

Using tools purchased on the dark web or other illicit forums, attackers test the stolen credentials against various websites and applications, hoping to find a match and gain unauthorized access to sensitive data. 

Since people often reuse their passwords across multiple services, this “spray and pray” approach often succeeds. Even if someone resets the password for a service that experienced a data breach, they may not have reset the password across all services. For example, someone may reuse their corporate email password to access a customer relationship management (CRM) tool, enterprise resource planning (ERP) tool, or human resources portal.  Attackers use automation to try the email credentials across critical business services. If they gain foothold access to a service, they elevate the account’s privileges, gain additional access to sensitive data, and then steal it. 

Targeted Social Engineering Attacks

Email addresses have their own unique value. Malicious actors can use the combo list to deploy social engineering attacks against the users. Since corporate email addresses include the company’s domain, they can sort the lists to send targeted phishing attacks. With a little social media research, they can find the names of:

  • Senior leadership 
  • IT team members
  • Human resources staff
  • Finance department employees

With this research and the email addresses from the combo list, they can create targeted spear phishing attacks. According to one report, response-based spear phishing attacks that request a wire transfer increased by 59% in Q3 2022 from Q2. 

Cyber Extortion 

Over the past few years, double-extortion ransomware attacks have become the predominant variant. Criminals now stage multilevel campaigns, with research noting that 63% of ransomware attacks include blackmail. With the leaked credentials contained in combo lists, malicious actors can “prove” that they system or network access and trick companies into paying them, even if they haven’t deployed a ransomware attack. 

How To Mitigate Risks Arising From Combo Lists

As with everything else in cybersecurity, protecting your organization from the risks associated with combo lists requires a multi-pronged approach across people, processes, and technologies. 

Implement and Enforce Password Best Practices

In a remote work world, your users are your first line of defense. You should be providing your employees with basic cyber awareness training that addresses the key fundamentals of a strong password or passphrase:

  • Something unique to the user
  • Something longer than 12 characters
  • A combination of letters, numbers, and special characters

Further, your training should remind people to use a unique password for each personal and professional application. 

Provide a Password Manager

According to research, the average person is expected to remember 100 passwords. Further, this number increased 25% between 2019 and 2020. To support your security initiatives, you should offer employees a password manager technology so that they can create and use secure passphrases consistently. 

Implement and enforce multi-factor authentication (MFA)

With MFA, you place an additional layer around logins. MFA is a combination of two or more of the following:

  • Something a person knows (password/passphrase)
  • Something a person has (token, device)
  • Something a person is (biometric like a fingerprint or face ID)

Linking a user’s credentials to either something they have or something they are thwarts malicious actors engaging in credential-based attacks because they can’t pass that additional security layer.

Monitor the Clear and Dark Web

While you might know that your company experienced a data breach, you may not know all the different websites and services that your employees use that experience one. Further, you may not have visibility into everywhere your employees use their corporate email address. 

To mitigate these risks, you should engage in clear and dark web monitoring to identify leaked credentials. Malicious actors sell the combo lists on the dark web. With an automated monitoring solution, you can target your searches to get alerts for your company’s primary domain and subdomains, giving you visibility into leaked data that you might not find otherwise. 

Once you find the compromised credentials, you can work with the employees who pose a risk to reset their passwords across all services. This way, you mitigate the risks arising from reused passwords. 

Flare Systems: Risk Mitigation with Automated Dark Web Monitoring

With Flare’s platform, you can implement dark and clear web monitoring strategies that mitigate risks associated with leaked credentials. Using our AI-riven data collection system, you can set search terms and get targeted alerts that reduce noise and enable more robust security. Flare’s platform reduces manual processes so that you can proactively identify leaked or stolen account credentials across dark web forums, illicit Telegram channels, and open-source repositories. 

With Flare’s wide coverage and automated monitoring, you can dramatically reduce the time and costs associated with dark and clear web monitoring while enhancing your security posture. 

Try a free trial and get started in just fifteen minutes.

Share This Article

Related Content