What Credential Harvesting Is
Credential harvesting is the practice of building fake login pages that capture usernames, passwords, and other authentication data when victims attempt to sign in. ScamVerify™ tracks 60,758 indicators of compromise (IOCs) through ThreatFox, a significant portion of which are credential harvesting infrastructure. Combined with 74,032 malicious domains in URLhaus, these databases reveal how credential theft operates at industrial scale.
Unlike malware that requires software installation, credential harvesting relies entirely on deception. The victim willingly enters their information into what appears to be a legitimate login form. The entire attack happens in seconds, often without the victim realizing anything went wrong.
The Anatomy of a Credential Harvesting Attack
Step 1: The Lure
The attack begins with a message designed to get the victim to click a link. Common delivery methods include:
| Channel | Example Lure | Target |
|---|---|---|
| "Your account has been locked. Verify now." | Banking, email, shopping accounts | |
| Text message | "Suspicious login from new device. Confirm identity." | Social media, email accounts |
| QR code | Poster or flyer with "scan to log in" | Corporate and educational environments |
| Search ads | Paid ads ranking above the real login page | Any popular service |
Microsoft reports that 15,000 malicious QR code emails target educational institutions daily, directing victims to fake Microsoft 365 login pages. This vector is growing rapidly because QR codes bypass many email security filters.
Step 2: The Cloned Login Page
The victim clicks the link and arrives at a page that looks identical to the real login screen. Modern credential harvesting kits produce pixel-perfect replicas of:
- Banking portals (Chase, Bank of America, Wells Fargo)
- Email services (Gmail, Outlook, Yahoo Mail)
- Social media (Facebook, Instagram, LinkedIn)
- Cloud services (Microsoft 365, Google Workspace, Dropbox)
- E-commerce (Amazon, PayPal, eBay)
The cloned page includes the correct logo, color scheme, fonts, layout, and even interactive elements like "Forgot password?" links (which redirect to the real site to avoid suspicion).
Step 3: The Capture
When the victim enters their username and password, the data is sent to the attacker's server. This happens in milliseconds. The form submission is processed by backend code that:
- Logs the credentials to a database, file, or Telegram bot
- Forwards the victim to the real login page with a "session expired, please try again" message
- Timestamps the capture so the attacker knows the credentials are fresh
The redirect to the real site is the critical detail. The victim assumes their first login attempt "failed," enters their credentials again on the real site, and successfully logs in. They never suspect the first attempt was captured.
Step 4: Account Takeover
Fresh credentials are used immediately or sold within hours. Attackers may:
- Drain bank accounts via transfers or purchases
- Access email to reset passwords for other accounts
- Harvest contacts for follow-up phishing campaigns
- Steal corporate data from cloud storage or email archives
- Sell credentials on dark web marketplaces (prices range from $1 for social media to $50+ for banking)
Why Credential Harvesting Is Hard to Detect
Visual Perfection
Modern phishing kits eliminate the quality gap that once made fake pages identifiable. AI tools can generate responsive, accessible clones that render identically across devices. There are no typos, broken images, or misaligned elements to trigger suspicion.
HTTPS Everywhere
Free SSL certificates from Let's Encrypt mean every credential harvesting site displays the padlock icon. Our data shows 82% of phishing sites use HTTPS. The padlock means the connection is encrypted. It does not mean the site is trustworthy.
Short Lifespan, High Volume
Most credential harvesting sites operate for only 24-72 hours before being reported and blocked. But in that window, they can capture hundreds or thousands of credentials. Attackers register new domains and deploy new sites continuously. The 74,032 domains in ScamVerify's URLhaus database represent snapshots of this constant cycle.
Evasion Technology
Advanced credential harvesting kits include:
- Geofencing that shows the fake page only to victims in the target country
- Bot detection that serves clean content to security scanners
- CAPTCHA gates that prevent automated analysis
- Time-limited access that auto-destroys the page after a set number of hours
The Scale of the Problem
| Metric | Value | Source |
|---|---|---|
| ThreatFox IOCs tracked | 60,758 | abuse.ch |
| URLhaus malicious domains | 74,032 | abuse.ch |
| Phishing emails sent daily | 3.4 billion | Cybersecurity Ventures |
| AI-generated phishing share | 56% | Abnormal Security |
| Credential theft as attack vector | #1 initial access method | Verizon DBIR |
Credential theft is the most common initial access method in data breaches according to the Verizon Data Breach Investigations Report. Stolen credentials open doors that bypass firewalls, endpoint protection, and network monitoring.
How to Protect Yourself
1. Never Click Login Links
Type the URL of any service directly into your browser. Do not click login links in emails, texts, or messages, even if they appear to come from the actual service.
2. Use a Password Manager
Password managers auto-fill credentials only on the exact matching domain. If you visit arnazon.com instead of amazon.com, the password manager will not offer to fill your Amazon credentials. This is one of the most effective defenses against credential harvesting.
3. Enable Two-Factor Authentication
Even if your password is stolen, two-factor authentication (2FA) prevents the attacker from logging in without your second factor. Use an authenticator app (Google Authenticator, Authy) rather than SMS-based 2FA, which can be intercepted.
4. Check URLs Before Entering Credentials
Read the URL character by character before typing any password. Look for:
- Letter substitutions (rn looks like m, l looks like 1)
- Extra words (amazon-login-verify.com is not amazon.com)
- Subdomain tricks (amazon.com.fake-site.com is actually fake-site.com)
5. Verify Suspicious URLs With ScamVerify
Run any URL through the website checker before entering credentials. ScamVerify checks against 74,032 URLhaus domains and 60,758 ThreatFox IOCs in real time.
Check any URL now
Paste a URL to scan it against 74,000+ threat domains and real-time intelligence.
What to Do If You Entered Credentials on a Fake Site
- Change the password immediately on the real service
- Enable 2FA if you have not already
- Check for unauthorized activity in the account's login history
- Change the password anywhere else you used the same credentials
- Monitor for follow-up attacks as the attacker may attempt to use your email to reset other accounts
FAQ
How do I know if a login page is real or fake?
Check the URL carefully. The domain should exactly match the service you are trying to log into (e.g., accounts.google.com, not google-login.com). Use a password manager, which will refuse to auto-fill on a non-matching domain. When in doubt, navigate directly to the service by typing the URL.
Can credential harvesting happen on mobile?
Yes, and mobile devices make it easier for attackers. Smaller screens show less of the URL, browser interfaces can be hidden, and touch interactions make it harder to inspect links before tapping. Be especially cautious with login links received via text message or social media on mobile devices.
What is the difference between credential harvesting and malware?
Credential harvesting tricks you into voluntarily entering your information on a fake page. No software is installed on your device. Malware is software that installs on your device (often without your knowledge) to steal data, monitor activity, or provide remote access to attackers. Both can result in credential theft, but through different mechanisms.
Do strong passwords help against credential harvesting?
A strong password does not protect you if you enter it on a fake site. The strength of the password is irrelevant because the attacker captures exactly what you type. However, using unique passwords for every service (via a password manager) limits the damage, because a stolen password for one site cannot be reused to access others.
