Understanding initial access markets: Attack techniques

Aaron Goldstein
March 11, 2024

Initial access markets sell stolen credentials and other means of access to cyber criminals. This blog will cover some of the ways those credentials are stolen, as well as the techniques attackers use that information to target organizations. This is part two of our series on initial access markets; click here to read part one.

How credentials are stolen

Many of today’s most prominent attack techniques can result in credential compromise. Some of the most common ways credentials are stolen include:

Phishing / business email compromise (BEC)

Using social engineering, fraud, and other devious tactics, adversaries trick employees into divulging their credentials and/or other personal information. Increasing commoditization of the cybercrime space has led to phishing toolkits and Phishing-as-a-Service as possible options for attackers to significantly streamline their efforts.

Brute force  

Security.org states that even a fairly complex password of eight characters or lower can be cracked in under a day. Advances in cybercriminal technology have made it even easier for attackers to brute force their way into an account. Unfortunately, despite an ongoing emphasis from security personnel on password hygiene best practices, people continue to use simple passwords (‘password123’ is still one of the most used passwords) that are easily compromised.

Data dumps / leaks

In a successful breach, attackers gain access to a wealth of data. Some may opt to capitalize on that data instantly, selling it through initial access markets or other such marketplaces. This could be either a way to make a quick buck or prevent an attacker from getting too deep into a network and exposing themselves. Others simply share this information as a way to show off their hacking prowess, sow discord, or promote cyber terrorism.

Pirated / illegitimate software

Obtaining software through illegal means may be cheaper than the alternative, but it comes with massive risks. Namely, many attackers use illegitimate software to pose as a legit, “cracked” version of known software and steal credentials. Otherwise, the phony applications may include malware in downloads, infecting a system with info-stealing software.


Infostealers passively collect information generated by an infected system, tracking actions and even keystrokes to gather critical data. This could range anywhere from confidential or financial information to any of the various passwords someone uses in their daily business.  

Attack techniques using stolen credentials

Armed with purchased credentials, attackers have a variety of ways to capitalize on the information for their own gain, including:  

Credential stuffing

The most basic technique available is using the credentials to log into accounts and wreak havoc. As poor password hygiene continues to be an issue in security, these credentials could affect both the account/system they’re directly associated, but also any number of other products or applications a user leverages. It’s apparent the potential windfall that could come out of even one set of compromised credentials. Multiply that across an entire initial access market and the result could be payday for an attacker—and ruin for the affected individuals.

Multi-factor authentication (MFA) fatigue

For accounts that have MFA enabled, a set of credentials may not have the same weight as it would without. That doesn’t mean, however, that they can’t be used. By repeatedly attempting to use the credentials, attackers can flood the affected individual with MFA requests, be it through SMS, push notifications, or elsewise.

Continuously “bombing” a user with MFA requests has several outcomes. At minimum, it could lock them out of their account, an ultimately minor inconvenience. But, in worse cases, the user could inadvertently or otherwise accidentally approve one of the requests, granting the attacker access to their account.  

Account takeover

Using one of the earlier methods or others, an attacker can ultimately use the purchased credentials to get into a user’s account and take it over. Depending on the system or application, the result could be minimal. But, for critical applications, or if the user is particularly high-profile, say a C-level or small business owner, attackers could verily hit the jackpot.

Account takeovers can dovetail into several different outcomes:

  • Identity theft: Many digital accounts contain key personal identification information (PII) from things like name, phone number, and birthdate to credit card info, Social Security numbers, or even answers to security questions that can be used to break into other accounts. This information is the literal gold mine that attackers look for, as they can use it to blackmail or otherwise steal a person’s identity. In addition, they can, in turn, take the information to sell it again over an initial access market or other dark web marketplace.  
  • Corporate espionage: In as many ways as the information detailed above gives power to attackers, passively gained intelligence could be just as useful. Access to an email account or other communication platform gives an attacker an unfiltered view into a person’s conversations. This gives them insights into all sorts of potentially lucrative information:
    • Confidential or otherwise inappropriate conversations that could be used for blackmail
    • Stock/trading information including funding rounds, IPOs, or other financial data
    • Communication styles and tone/voice to fuel social engineering or deep fake operations
    Using this information allows adversaries to know precisely when, where, and how to target future attacks to have the most impact.
  • Ransomware/malware propagation: Access to systems or email accounts are a perfect avenue for creators of malware and ransomware to disperse their viruses into a network. This is especially pertinent with email account takeovers, as attackers can pose as the affected individual(s) to send infected files under the guise of legitimate business activity.
  • Botnet recruitment: For adversaries that build webs of bots to organize distributed denial of service (DDoS) or other brute force attacks, a compromised system adds another potential bot to the mix. Using the techniques above, more systems could be further infected, leading to more bots that can be leveraged.

Learn more

These techniques paint a grim picture as to the potential effects of credentials purchased through initial access markets. Thankfully, there are ways that you can defend yourself and your organization against them.

Read the final blog in the series to explore these defense tactics in detail.

To learn more about initial access markets, register for our webinar deep dive on the topic.

Stay up to date

Subscribe to receive the latest insights, news, and updates from Todyl.

Additional reading

Why I joined Todyl: Mike Hanauer
How to increase trust with cyber insurance carriers
Why MDR platform breadth and depth matters

Todyl updates

Sign-up to get the latest from Todyl sent straight to your inbox.