According to a study by IBM, the importance of phishing and other attack vectors is decreasing, but that’s not good news. All too often, hackers can simply log into accounts using data obtained elsewhere.

A cybercriminal can break into your corporate network via an unpatched zero-day vulnerability or, failing that, by misleading an employee through a sophisticated phishing campaign. If you find this complicated, you can of course simply log in with legitimate and easily accessible account details. IBM stated this in its annual X-Force report, in which the company maps the digital threat landscape.

Logged in quickly

According to IBM’s findings, logging in with authentic account credentials is now on a par with phishing as an attack vector. Thirty percent of the time, initial access to a system occurs through phishing and thirty percent of attacks occur through legitimate account credentials. Of course, both vectors are somewhat related, as phishing often aims to obtain such legitimate account information.

IBM still estimates that 29 percent of attacks are possible by exploiting a flaw in a publicly available application. After that, the attacks tend to shift to niches: nine percent are carried out via external services and four percent via removable storage devices (e.g. USB sticks).

Successful despite simple measures

Criminals have rightly discovered that security systems are not always sufficient to distinguish legitimate from fraudulent sessions when the correct credentials are used to log in. The tools necessary for this are available, but apparently not yet widespread enough. Additionally, credentials are widely available on the dark web, where attackers can purchase a list for next to nothing. Although such access data has often been online for some time and you can use Haveibeenpwnd to check whether your data is circulating in criminal circles, they often remain unchanged.

In addition, malicious login attempts using legitimate data are relatively easy to ward off. Techniques exist to bypass multi-factor authentication (MFA), but they make an attack much more complex. Anyone who activates MFA can very efficiently defend themselves against login attempts by attackers.

AI for phishing

The absolute volume of phishing attacks fell by 44 percent in 2023 compared to 2022, IBM calculates. This is partly due to the better techniques companies are using to protect themselves against such attacks. A targeted phishing email is a labor-intensive tool. IBM expects phishing to become more prevalent again as criminals use AI to support the attacks.