skip to Main Content
password spraying
share

What Is Password Spraying?

Tom Cronkright, Published on May 6, 2019

There are many ways a fraudster can compromise your accounts and commit wire fraud. One is password spraying, a tactic that’s becoming increasingly common over the last couple of years.

This easy, affordable, and extremely effective method offers cybercriminals a quick solution to gain access to their targets’ accounts.

In the following article, we’ll take an in-depth look at password spraying, how it happens, and what you can do to prevent it.

What is Password Spraying?

Password spraying is a form of cyber attack that allows fraudsters to commit real estate wire fraud. When successful, it gives them unauthorized access to their target’s account.

Crooks are performing password spraying when they try to access an account by using common passwords, such as “Password1” or “123123.” This method is different from password stuffing where a fraudster uses previously compromised passwords.

Typically, the crooks will target a real estate company or organization and create a list of its employee’s email addresses.

They will then work out which email accounts are likely to be vulnerable by searching for addresses that use standard email formats. An example would be: “firstname.lastname@organization.com.”

The hope is that if the user has a typical, common email address, they’re more likely to have a simple, commonly used password as well.

The fraudster will choose a password and try to log in through popular cloud-based services such as Gmail or Microsoft.

Why It Happens

There are many reasons that password spraying is an increasingly common threat to title company security.

The most obvious reason is that password spraying is an extremely easy and effective method.  When successful, it can allow access to any number of high-profile accounts.

Below, we’ll go over several other factors that have made password spraying a common cybersecurity threat.

Increased Online Presence

It’s a fact that an increasing number of people are using the internet. This surge in users makes password spraying an effective means for fraudsters to access the data needed for wire fraud.

Along with business applications, consumer services are now moving to the online world. You’ll find everything from social media networks and customer loyalty programs to food delivery services and e-commerce stores on the web.

As a result, the number of accounts held by a single consumer has gone up significantly in recent years. Often, people tend to use the same passwords across multiple accounts.

Image of screen representing our online presence and its vulnerability to password spraying

Compromised Data Can Be Monetized

Because compromised data and other types of intellectual property can be sold for a profit, fraudsters have all the reasons they need to target this type of information.

Years ago, most cyber attacks went after financial data such as banking and credit card details. But today, fraudsters have found new ways to sell all types of personal information on the world wide web.

No longer is compromised data simply sold on forums and websites. It is directly monetized via ransom and blackmail, forcing victims to make payments through untraceable cryptocurrencies.

Because of this, the value of both corporate and consumer account information has increased in recent years. This makes real estate accounts an extremely lucrative target for fraudsters.

Lateral Attacks

Many internet users re-use the same passwords for multiple accounts. With this, one hacked account can lead to lateral attacks and the compromise of other cloud-based services.

By using a Single Sign-On (SSO) tool, a successful password spraying attack would allow access to all downstream services that the user has connected.

How To Prevent Password Spraying

Always remember that it only takes one successful attempt at password spraying for a fraudster to get into your organization. Ensuring that your company is protected at all times is critical.

Below, you’ll find several tips to help you prevent password spraying attempts.

Enable Two-Factor Authentication

Using two-factor or multi-factor authentication adds an extra layer of cybersecurity to your organization and its accounts.

This type of authentication gives account users other options along with their password. They can use a phone number, text message, or some form of biometric measure to verify their identity.

Create A Secure Passwords Policy

Creating a secure password policy for your corporate network is another excellent way to prevent password spraying.

For example, you could set your passwords to expire every couple of months.

Also, make sure that all passwords are at least eight characters long and include both lower and uppercase letters, numbers, and symbols.

Encourage your employees to never use easy-to-guess passwords such as their names, birthdates, or places of residence.

One of the best ways to implement and enforce a strict password policy is to use a password manager for all online accounts.

Trust No One

It’s important to understand that threats can come from both inside or outside your organization.

Therefore, cultivate a mindset where you don’t trust easily, and always verify your organization’s user accounts.

This means having a stringent verification process for all accounts. Use different, strong passwords across all devices and accounts used by your organization.

Lastly, make sure to never use default usernames or passwords because they are so easily found online.

Lead By Example

To ensure your business is safe at all times, you’ll need cooperation between you and your employees.

The best way to do this is to teach your employees about cybersecurity. Educate them about the importance of creating strong passwords that won’t be easy to guess.

Cybersecurity training shows that you actually care about being safe online and preventing data breaches within your company.

The Truth About Password Spraying

Always remember that fraudsters are looking for the easiest and shortest way to get to their targets. This is exactly what password spraying gives them.

It is both simple and effective, and when successful, allows them to gain access to your organization’s valuable assets by bypassing conventional security measures.

As long as we continue using passwords as our primary authentication method, password spraying will remain one of the most common tools fraudsters can use to compromise your organization’s accounts quickly.

With that said, it’s vital that today’s title companies, and the companies they work with, take password spraying as a very real and potential threat.

It’s imperative to understand the risk and address it wherever applicable in your corporate environment. Moreover, one of the most effective ways to do this is by using multi-factor authentication.

Working With CertifID

After a brutal wire fraud attack several years ago, I decided to create CertifID to protect other title agency owners and help them reduce their risk of going through the same thing I did.

If you’re interested in learning more about additional security methods your business can use to diminish your company’s risk of fraud, don’t hesitate to Contact Us today and request a demo of CertifID.

    AUTHOR

    Tom Cronkright

    CEO and Co-Founder @ CertifID

    Back To Top