21-07-2025
How To Fight The Threats Targeting Your Employees' Identities
Damon Fleury is the Chief Product Officer of SpyCloud, a leader in identity threat protection.
The cybercrime economy has evolved into a sophisticated marketplace of stolen data, illegally obtained access and enablement services and tools that are readily available at scale. These offerings rely heavily upon data and access stolen with malware, phishing attacks and third-party breaches. For example, this growing industry of underground forums and marketplaces sells pre-built malware tools for less than $10, making it easier for even non-sophisticated cybercriminals to infiltrate organizations.
A new generation of resourceful cybercriminals is now efficiently using these darknet resources to target organizations with infostealer malware, advanced phishing attacks, residential proxies that mimic trusted IP addresses from victims' home addresses and more.
The impact is eye-opening. According to SpyCloud's 2025 Identity Exposure Report:
• About 50% of corporate users were exposed through infostealer malware in the past year.
• Seven million credentials were stolen from third-party applications, along with hundreds of thousands of credentials stolen from enterprise AI tools and password managers, exposing sensitive business insights and proprietary data and undermining critical security layers.
• As attackers gained access to high-value personal and corporate data, 97% of recaptured phishing data from known breaches contained email addresses, 64% exposed IP addresses and half included location data.
These statistics reflect a concerning level of exposure, with massive amounts of sensitive information now in the hands of individuals who lacked the tools or expertise to obtain it just a year ago. To keep up, enterprises must rethink their cybersecurity strategies for a world where anyone can be a threat and every employee a potential target, starting with a clear understanding of what's driving modern cybercrime and where their people are most vulnerable.
One-Click Cybercrime: Underground Syndicates And Install Brokers
It used to be that actors had to be truly enterprising to be successful, from writing their malware code to developing ways to avoid detection. Now, bad actors can pick up an entire malware kit via a black market site just as easily as the average consumer can make an Amazon purchase.
The impacts of these attacks can be devastating. For example, a criminal group known as Scattered Spider recently attacked famed British retailer Marks & Spencer, allegedly using solutions purchased on underground forums. The attack resulted in a drop in the company's share price and millions of dollars in lost revenue.
Scattered Spider is one of many groups suspected of using off-the-shelf malware obtained through 'install brokers'—also known as ad brokers or pay-per-install services. These brokers act as intermediaries in the cybercrime supply chain, connecting malware developers with threat actors by distributing malicious software at scale.
Install brokers often use advertising networks like Spaxmedia, compromised websites or bundled software to silently install malware on victims' devices. This hands-off infection method allows cybercriminals to steal data, launch phishing campaigns, deploy ransomware and cause widespread damage to an organization's operations, finances and reputation.
Any bad actor with a few hundred dollars in crypto can buy access to high-quality, polished, ready-to-install malware and launch it quickly and easily. Criminals can also purchase "malware cryptors'—tools that help evade antivirus software. They can even use install brokers to resell stolen data in bulk for low prices, creating a wholesale club for malicious actors.
Holistic Digital Identities: Defending Against Cybercrime Enablement
Executives must understand what they're dealing with and shift their perceptions of cybercriminals. So-called "smaller players" like those operating as Scattered Spider can be just as damaging as sophisticated state-sponsored cyberattackers, thanks to their ability to easily purchase readily available, inexpensive, plug-and-play tools. The result is a corporate cyber threat landscape that's more scalable and dangerous than ever before.
The problem is that most of the attack methods used by the new wave of cyberattackers leave little to no forensic trail, which makes it hard for businesses to know they've been infiltrated until it's too late. For instance, infostealers leave no trace, allowing criminals to stealthily steal users' identity data like passwords, personally identifiable information (PII) and more.
However sly the criminals are, they're generally predictable and almost always go after the same target: an organization's users. Therefore, one of the best defenses against infostealers, PhaaS and other tactics is to use data collected from known breaches and stolen data that's circulating the dark web to build holistic digital identities for your organization's users.
I've previously shared insights into the need for digital identity correlation, which enables companies to identify and mitigate threats related to stolen or compromised employee data—everything from social security numbers and emails to phone and credit card numbers.
Criminals see exposed users as soft targets they can easily exploit, but this approach helps businesses turn the tables. Piecing together user credentials exposed on the darknet allows businesses to make informed decisions on enabling access, resetting passwords and performing other tasks that protect individuals and the organization. They can effectively harden the soft targets against cybercriminals of all skill levels and defend against attacks.
Evolving Enterprise Security To Meet The Moment
Malware, phishing platforms, stolen credentials and install broker services are readily available and sold like consumer software, dramatically lowering the barrier to entry for cyberattackers. This shift has redefined the threat landscape, turning low-skill actors into legitimate threats and scaling the impact of cybercrime across industries.
As the era of cybercrime enablement expands, enterprise security practices must evolve, too. Instead of focusing exclusively on perimeter defense models, organizations must understand the types of PII today's bad actors possess—and use that information against them to build strong and sustainable security postures.
Forbes Technology Council is an invitation-only community for world-class CIOs, CTOs and technology executives. Do I qualify?
