Who’s logging in? [OMITB] - Hacking Humans

Podcast Summary: Who’s Logging In? [OMITB]

Podcast: Hacking Humans – Only Malware in the Building (Cyberwire/N2K Networks)
Date: April 7, 2026
Main Theme:
This episode dives into the growing trend of cyber threat actors targeting digital identity rather than relying solely on malware or software exploits. With high-profile reports and recent disruptions to major phishing gangs, the panel discusses the reasons behind this shift, the mechanics of identity-focused attacks, and the evolving landscape of defense—especially regarding multifactor authentication (MFA) and public-private law enforcement partnerships.

Episode Overview

The hosts (Selena Larson, Keith Milarsky, Dave Bittner, and others) analyze the cybercrime world’s shift from exploiting software vulnerabilities and malware to targeting identities, credentials, and session tokens.
Discussion centers around reports from Sophos, SpyCloud, Red Canary, and major security incidents (like Tycoon MFA phishing kit takedown).
The episode addresses how MFA, while widespread, is being bypassed, and how identity is rapidly becoming the “new perimeter” in cybersecurity.
Law enforcement/private sector collaboration and operational impacts on the criminal ecosystem are hot topics.

Key Discussion Points & Insights

1. Identity as the New Frontier in Cybersecurity

Recent Reports Highlight the Shift: Attackers increasingly pursue credential and identity theft rather than deploying malware or exploiting vulnerabilities.
- Sophos' 2026 Active Adversary Report: Identity-related root causes in breaches have increased every year since 2022.
  - [03:37] “Identity related root causes as percentage of cases have increased every year since 2022…” — Selena
- SpyCloud: Reported a 23% increase in “recaptured identity data” lake, now over 65 billion records.
- Red Canary: Detected an 850% increase in identity threat detections YoY; identity-based threats now over half of confirmed threats.
Why the Shift?
- Enhanced malware defenses (EDR, patching) make “logging in” a path of least resistance.
- Attackers leverage abundant stolen credentials and session tokens from infostealers and underground data dumps.
- “Identity is the new perimeter.” — Keith [05:16]
- Memorable Quote:
  - [05:16] Keith: “We’re just seeing the threat actors, hey, instead of having to hack in using exploit, why don’t we just log in as that person?”

2. How Identity Attacks Work Now

Credential Stuffing and Token Hijacking
- Attackers use compromised credentials (414 billion or more) to bypass traditional defenses.
- Info-stealer malware harvests not just usernames/passwords but entire authenticated browser sessions, MFA tokens, cookies, VPN, and API keys.
- Notable Statistic
  - [08:45] Keith: “The average device that gets popped with one of these infostealers...has 87 different stolen credentials on it.”
Macros & Initial Access Vectors
- Legacy methods (macro malware in email) are declining due to tighter Microsoft restrictions. Attackers pivot accordingly.
- [06:50] Selena: “We see this shift right away from easy low hanging fruit to identity...”

3. MFA (Multi-Factor Authentication) – Not a Bulletproof Shield

Phishing Kits & Bypassing MFA
- Modern phishing kits (e.g., Tycoon) effectively steal MFA credentials via “man-in-the-middle” phishing, or by socially engineering users to fall back to less secure methods.
- [13:34] Selena: “49% of organizations experienced account takeover attempts...67% experienced a successful account takeover...59% of those had MFA enabled.”
Physical Security Keys
- Hardware keys (like FIDO) are still highly effective but are not immune to indirect bypass via social engineering.
- [14:14] Selena: “Yes, a physical key? Because threat actors are becoming so much more creative...there are ways to kind of trick it. Not necessarily bypassing a physical key, but...using social engineering to get someone to use a less secure method of logging in."

4. The Tycoon 2FA Phishing Kit Takedown

Case Study Highlight:
- Tycoon was the single largest MFA phishing-as-a-service platform, highly popular with threat actors for its ease of use and support.
- Coordinated takedown involved major industry and law enforcement players: Proofpoint, Microsoft, Europol, Cloudflare, Coinbase, and others.
- Significance: The event signals the growing seriousness with which industry and law enforcement view credential phishing.
- [22:26] Selena: “It was a coordinated effort between public and private partners...There was this coordinated effort between public and private with law enforcement from Europol in different countries...It signals to the bad guys: we are taking this seriously now.”

5. Why Going After Credential Phishing Matters

Historically Overlooked: Phishing kits have lacked the “cool” factor of malware or zero-day exploit research but are now recognized as a major threat vector.
Takedowns have Psychological Impact:
- [27:26] Keith: “Oh, it makes them paranoid...for two weeks, they just go utterly paranoid because they're wondering whether the hammer is gonna drop on them, who's getting flipped.”
- Publicizing takedowns helps deter and disrupt criminal communities.
Next Targets:
- Identity access brokers (“bouncers” of cybercrime) and traffic distributors are the nodes enabling mass credential compromise.
- [29:02] Keith: “...how to make that impact on that identity space is I'd be targeting the identity access brokers…”

6. Defensive Best Practices and the Ongoing “Identity War”

Zero Trust & Conditional Access
- Segmentation, least privilege, allowlisting, and granular conditional access policies are becoming baseline requirements.
- [21:05] Selena: “Conditional access policies are also super important...to make it so that you have the picture of the person who should be logging in.”
Managing Privileges and Secrets
- Privileged account sprawl, poor secrets management, and long-lived tokens are persistent headaches.
- [21:38] Dave: “Privilege sprawl is something you gotta keep an eye out for as well...”
Physical/Biometric Security
- Hardware tokens, facial, and fingerprint authentication are the next frontiers—but bring privacy and data exposure risks.
- [35:29] Selena: “Moving towards FIDO...opens up a whole can of privacy and potential what happens if that data gets leaked?”
Awareness & Collaboration
- Security teams now see credential phishing as a top threat; community recognition and cross-sector collaboration are critical.

Notable Quotes & Memorable Moments

On the Data Explosion:
[05:16] Keith: “Compromised credentials...It's like 414 billion...and that's just not like combo lists and malware logs and cookies. There's just so much...out there...Instead of having to hack in using an exploit, why don’t we just log in as that person?”
On Real-World Impacts:
[10:49] Selena: “Now it’s like, well, data theft and extortion is a lot more of that business model. Do you think that at all had a role in the sort of focus on identity?”
On MFA Effectiveness:
[13:34] Selena: “Of those account takeovers, 59%...had MFA enabled.”
On Socio-Engineering MFA Bypasses:
[15:07] Keith: “That’s what we’re seeing with the Scattered Spider guys...they’re following that up with a phone call to IT...hey, I’m having trouble logging in, or my MFA isn’t working. Can I reset it?”
On Takedown Impacts:
[27:26] Keith: “It makes them paranoid...they just go utterly paranoid because they're wondering whether the hammer is gonna drop on them, who's getting flipped.”
Crypto’s Double-Edged Sword:
[32:50] Selena: “… talking about the timeline of cybercrime in 2013, 2014, whenever Bitcoin was invented, I had, in parentheses, huge mistake…you have all this money just moving around, but the thing is, too, it's traceable.”

Key Timestamps & Segments

[02:17–05:16] Introduction to identity attacks, major industry report highlights
[05:16–10:05] Data explosion, credential theft, and why "logging in" is now the new attack vector
[10:05–13:34] Role of ransomware's evolution in changing attack focus, and the limits of traditional defenses
[13:34–16:25] MFA effectiveness and rise of phishing kits like Tycoon
[16:25–18:37] The Tycoon phishing-as-a-service case study and takedown overview
[19:51–22:26] Shifting defense to zero trust, conditional access, and privilege management
[22:26–26:59] The significance of public/private partnerships; why credential phishing matters
[27:26–29:53] Psychological and strategic impact of high-profile takedowns
[29:55–31:46] Targeting the “bouncers”—identity access brokers and criminal ecosystem nodes
[32:25–35:29] Cryptocurrency’s impact, and what’s next for authentication
[35:29–38:16] Practical next steps, balancing technology, privacy, and researcher awareness

Tone & Style

Engaging and slightly humorous, with playful banter (e.g., opening with technical difficulties and chipmunk voices).
Conversational but expert-focused, combining anecdotes from law enforcement and real-world CISOs with hard statistics and trend analysis.
Practical, forward-looking—emphasizes both day-to-day mitigation and strategic disruption of cybercrime infrastructure.

Quick Takeaways for Listeners

Identity and credential theft now surpass malware and exploits as the primary way cybercriminals access organizations.
MFA alone is no longer enough; phishing kits and info stealers have adapted.
Zero trust architecture, granular access controls, session expiration, and physical keys are increasingly vital.
High-impact takedowns (like Tycoon) affect both the mindset and business operations of cybercriminals.
Collaboration between private sector and law enforcement—combined with sharing intelligence and publicizing disruptions—is crucial for meaningful progress.

Recommended Next Steps:

Assess privilege and session management in your organization—review secrets, expire tokens, and implement conditional access.
Treat credential phishing as a top-tier threat—train users, deploy advanced detection, and consider hardware authentication.
Stay informed and support public/private intelligence-sharing initiatives to keep up with evolving criminal tactics.

Memorable Closing:
[38:16] D: “Next time, next time, who am I?”
[38:20] B: “Why are we the way we are is still the question that we will never be able to answer. But this was a lot of fun.”

—
For more insights, connect with the hosts on LinkedIn or respond to their ongoing call for real-world identity security stories.