Several Overwatch customers have noted a corresponding spike in fraud, enumeration attacks, and account takeover attempts. Below, we wanted to share a summary of what we’ve seen and what FIs can do about it.

What is the Naz.API Leak and Why is it Significant?

Naz.API was a massive dataset containing over 1 billion leaked credentials – a treasure trove for hackers. This sensitive information included email addresses, usernames, and, most alarmingly, plain-text passwords. The origin of these credentials varied, including:

1. Stealer logs: Logs generated by malware (trojans) designed to steal login information from unsuspecting users' devices.
2. Credential stuffing lists: Collections of previously leaked usernames and passwords, repurposed by cybercriminals to breach multiple platforms.

The sheer volume and accessibility of Naz.API made it a goldmine for malicious actors, particularly worrisome for financial institutions where even a single compromised account can lead to significant losses. Cyber expert Troy Hunt, of Microsoft and HaveIBeenPwned estimated that passwords for nearly 40 percent of compromised email accounts were disclosed for the first time, making this an especially significant leak.

The Rise of Credential Stealers

Credential stealers, a form of malware designed to harvest login details, have become increasingly sophisticated. They operate through various mechanisms:

1. Keylogging: Recording every keystroke you make, potentially capturing usernames and passwords entered on websites and applications.
2. Form grabbing: Intercepting data submitted through online forms, including login credentials for banking portals and payment platforms.
3. Browser hijacking: Modifying browser settings to automatically send login credentials to a hacker-controlled server.

These programs often run unnoticed until significant damage has been inflicted. Overwatch Data observed an uptick in credential stealer logs on the dark web from late 2023 to January 2024, culminating in the widespread availability of the Naz.API compilation.

The most common stealers we observed were Racoon, RedLine, Lumma, and Bunnyloader for general credential stealing, and Vidar, Azorult, Stealerium, Oski, and Lokibot, for more specific, customized, and targeted attacks.

What Could this Mean for Financial Institutions and their Customers?

The Naz.API leak poses a significant threat to both financial institutions and their customers. Here are some potential consequences:

1. Increased account takeover attempts: Hackers can try stolen credentials from Naz.API to gain unauthorized access to customer accounts, potentially siphoning funds, making fraudulent transactions, or even stealing sensitive financial data.
2. Phishing attacks: Hackers can use leaked email addresses to target customers with personalized phishing emails, attempting to trick them into revealing additional login information or falling for online scams.
3. Heightened money laundering and cash-out activity to move illicit funds.
4. Increase in fraudulent account creations: new emails can be supplemented with additional ‘Fullz’ data to create new accounts.

What Can Be Done to Protect against Credential Stealers?

1. Implement multi-factor authentication: Adding an extra layer of security beyond passwords, such as one-time codes or biometrics, significantly reduces the success rate of account takeover attempts.
2. Deploy password authentication service, which taps into the latest leak prevention methods and tracks leaked passwords.
3. Monitor social, deep and dark web sources for emerging threats and try to access these breaches as soon as they happen to protect your customers - even OTP and 2FA aren’t foolproof with bypass methods and techniques becoming commonplace.
4. Employ intrusion detection and prevention systems: Proactive monitoring for suspicious activity on networks and systems can help identify and stop malware before it wreaks havoc. Staying on top of new malware threats can help infosec teams signature new credential stealers to preempt leaks and threats – we recently helped a customer attain a sample of Bunnyloader.

How Overwatch Can Help

Overwatch helps you stay abreast of any threats brewing in the deep, dark and social web, as well as monitoring what cyber researchers are finding and sharing on the surface web. With our in-house investigations expertise, the Overwatch team helps you understand what they might mean to you, beyond simply helping you detect threats. This includes attaining malware samples and scouring through leaks and compromised credentials on the deep and dark web.

The Naz.API leak serves as a stark reminder of our online vulnerabilities. Vigilance and proactive cybersecurity measures are vital in safeguarding our financial ecosystem. If you're concerned about potential breaches affecting your organization or customers, please contact us for a thorough investigation.

Have thoughts or experiences related to the Naz.API breach? We’d love to hear your insights – and if you’d like to know whether any of your company’s logins or customers might have been breached - please get in touch.