Skip navigation
Industry News

Mitigating Credential-Stealing Malware with Two-Factor Authentication

With stolen credentials come compromised data, breached systems, lack of business credibility, legal fees, government fines, and bad publicity. And yet the ease of gaining full access via the use of a stolen username and password continues to motivate cybercriminals, as is shown in a recent credential heist affecting two million users, spread across big name services like Facebook, Yahoo, Google, and Twitter.

How did they get away with stealing credentials?

After Pony Botnet Controller’s malware was installed on desktops and mobile devices, it scanned all installed software for stored credentials to steal and even watched web traffic in order to steal logins for different websites. After collecting credentials, the botnet sent them back to the command-and-control (C&C) host.

Why invest in developing and implementing credential-stealing malware?

Cybercriminals will sell user credentials in bulk and the buyers typically use credentials to send spam. According to, the botnet controller had even gained access to the major payroll provider, and stole 8,000 credentials, putting financial and personal information at risk. recommended that users try to protect their login credentials for websites, including old best practices like frequently changing passwords and using unique passwords across different websites. But another way to protect logins and, subsequently, access to private accounts and systems, is to implement two-factor authentication.

How could two-factor mitigate the effectiveness of this malware?

Two-factor authentication pairs one factor (something you know, like a password) with a second factor (something you have, like a phone to authenticate) in order to create layered defense at the initial point of entry. As this case shows, a hacker could gain complete access to a system with just a single password. With two-factor, a secondary factor that requires a personal device would stop hackers at the door.

Trustwave analyzed the passwords found and discovered that there were more low-strength passwords than excellent ones, based on length and type of characters. The majority fell into the medium-strength category. Clearly, password-strength guidelines alone aren't a reliable way to secure account data if nobody follows them.

What are the consequences of a data breach?

Stolen credentials can lead to a compromise of important data, ranging from customer information to financial accounts. According to the Ponemon Institute’s 2013 Cost of a Data Breach Study: Global Analysis, the average organizational cost of a data breach in the United States is more than $5.4 million. The study also found that healthcare, financial, and pharmaceuticals industries have the highest data breach costs.

With the cost of data breaches rising, two-factor authentication is one way to effectively mitigate malware that steals credentials by decreasing the value of only a username/password with the use of a strong secondary factor. How do you do it? With your phone as your token - read Why Two-Factor Authentication and watch a short video to learn about how it works.

Find out about all the different ways you can authenticate using Duo’s two-factor authentication service, including Duo Push (mobile push notifications), Duo Mobile passcodes, SMS passcodes, phone callback and more in Authentication Methods.

Two Million Passwords Stolen Worldwide from Popular Websites
Ponemon Institute’s 2013 Cost of a Data Breach Study: Global Analysis (PDF)