Unveiling the Shadows: Exploring Credential Harvesting Methods

Credential Harvesting Background 

A recent study reveals that so far in 2023, 41% of breaches have involved the use of stolen credentials. Cyber actors perceive human error as the number one threat to cybersecurity, and targeting individuals of an organization for credential harvesting is far easier than attempting to hack a technical element of an IT system. It is estimated that a total of 54% of all social engineering attacks in 2022 used a technique called ‘pretexting’ where the threat actor invents a scenario that tricks the user into giving up their credentials or performing another beneficial action to the attacker. This method is often deployed through phishing campaigns. Additionally, former employee credentials are often targeted as organizations forget to disable the accounts. This provides threat actors with an easy way to bypass security protocols and avoid detection. These methods have led to credential harvesting being one of the major attack vectors used to gain access to organizations. 

Credential Harvesting Methods 

Phishing campaigns: This method relies on a form of communication, often an email, that impersonates a legitimate organization. These pieces of communication manipulate the receiver to divulge their credentials.  

  • Quick Response (QR) code: This method is traditionally deployed using phishing emails. QR codes are less likely to been considered malicious by the victim as there are no typical indications of it being malicious like misspelling or strange URLs. Once the victim scans the QR code, they are redirected to a website that appears to be legitimate. The website then asks the unsuspecting victim to provide sensitive information including their credentials. 
  • Shadow Credentials: Shadow credentials refer to unauthorized or forgotten accounts with privileged access within an organization’s network or systems. These accounts might belong to former employees, contractors, or even legitimate users who created additional accounts for personal convenience. Often, these accounts remain dormant and unnoticed, making them prime targets for cybercriminals seeking a backdoor into an organization’s digital infrastructure. 
  • Keylogging: This method relies on the victim clicking on a malicious link that downloads a Keystroke logging malware. The malware allows the threat actor to capture the victims’ keystrokes. This allows threat actors to see what websites the victim goes to and record the usernames and passwords for those domains. This malware is typically deployed covertly, and victims are unaware of the data that is being monitored.  
  • Credential dumping: This method is carried out once a threat actor has access to your device. The threat actor traditionally targets the random access memory (RAM) that stores usernames and passwords. These credentials are often stored in hashed or encrypted formats within the operating system or application files. 
  • Credential Stuffing: This technique involves using previously stolen credentials to gain unauthorized access to other accounts. Since many people reuse passwords across multiple platforms, attackers capitalize on this behavior to compromise various accounts. 
  • Adversary-in-the-Middle (AitM) Attacks: In an AitM attack, the attacker intercepts communication between two parties without their knowledge. By doing so, the attacker can collect login credentials and other sensitive information as it is transmitted. 
  • Pharming: Pharming involves redirecting users from legitimate websites to malicious ones, where users are prompted to enter their login credentials. This can be achieved by manipulating domain name system (DNS) settings or compromising routers. 

Targeted industries 

Currently the energy industry has been the primary sector targeted. While targeting of the manufacturing, insurance, technology, and financial services industries account for 37% of the attacks. 


When it comes to bolstering digital security, several key practices stand out. One of these is strong authentication, where the implementation of multi-factor authentication (MFA) serves as an additional safeguard. Additionally, educating individuals about phishing risks and other tactics used for harvesting credentials can increase identification of suspicious emails or messages. Regular software updates and patches are also vital in keeping operating systems, software, and security applications current, reducing the potential for attackers to exploit known vulnerabilities. Secure password practices also contribute immensely to security by encouraging users to generate robust, distinct passwords for every account. Furthermore, the utilization of web filtering and antivirus software is paramount to identifying and thwarting malicious websites and files, thereby fortifying overall digital security. 

Conclusion: Falling Victim to Credential Harvesting 

The consequences of falling victim to credential harvesting can be severe. Attackers can exploit compromised accounts for financial gain, steal personal information for identity theft, or even launch further attacks by leveraging the stolen credentials as a foothold. For businesses, the fallout can include data breaches, damage to reputation, financial losses, and legal liabilities. 

Credential harvesting methods are an ever-present threat in our digital age. Understanding these techniques and their potential impact is crucial for individuals and organizations alike. By staying informed, practicing good security hygiene, and investing in robust cybersecurity measures, organizations can better defend against the cyber criminals of credential harvesting. 


CRITICALSTART® offers a pioneering solution to modern organizational challenges in aligning cyber protection with risk appetite through its Cyber Operations Risk & Response™ platform, award-winning Managed Detection and Response (MDR) services, and a dedicated human-led risk and security team. By providing continuous monitoring, mitigation, maturity assessments, and comprehensive threat intelligence research, they enable businesses to proactively protect critical assets with measurable ROI. Critical Start’s comprehensive approach allows organizations to achieve the highest level of cyber risk reduction for every dollar invested, aligning with their desired levels of risk tolerance. 


  1. https://therecord.media/cisa-cyberattacks-using-valid-credentials 
  1. https://www.infosecurity-magazine.com/news/study-reveals-forged-certificate/?&web_view=true 
  1. https://cybersecuritynews.com/hackers-using-fake-certificates/#google_vignette 
  1. https://securelist.com/anomaly-detection-in-certificate-based-tgt-requests/110242/ 
  1. https://thehackernews.com/2023/08/whats-state-of-credential-theft-in-2023.html 
  1. https://www.inky.com/en/blog/fresh-phish-malicious-qr-codes-are-quickly-retrieving-employee-credentials 
  1. https://gbhackers.com/malicious-qr-codes-steal-employee-credentials/ 

You may also be interested in…

Stay Connected on Today’s Cyber Threat Landscape

  • Hidden
  • Hidden
  • Hidden
  • Hidden
  • Hidden
  • Hidden
  • Hidden
  • Hidden
Benchmark your cybersecurity against peers with our Free Quick Start Risk Assessments tool!
This is default text for notification bar