Skip to the main content.
TALK TO AN EXPERT
Facebook Instagram Linkedin X YouTube Medium

Information Security Compliance

Add security and compliance to Microsoft 365

BI Reporting Dashboards

Realtime pipeline insights to grow and refine your learning operation

Mortgage BI®

Integrations for Banks & Credit Unions

Connect LOS, core platforms, and servicing system

MortgageExchange®

Productivity Applications

Deploy customized desktop layouts for maximum efficiency

SMART Email Signatures

App Pilot®

Virtual Desktops

Server Hosting in Microsoft Azure

Protect your client and company data with BankGrade Security

PointCentral Private Server Hosting

4 min read

The Exploit: Anatomy of a Modern Cyber Heist Part 1 - The Leak in the Shadows

Justin Kirsch : May 12, 2025 12:15:00 PM

cybersecurity data breach Mortgage Cybersecurity
The Exploit: Anatomy of a Modern Cyber Heist Part 1 - The Leak in the Shadows
The Exploit: Anatomy of a Modern Cyber Heist Part 1 - The Leak in the Shadows
6:22

In this article:

The U.S. financial services sector logged 739 data compromises in 2025, according to the Identity Theft Resource Center's annual report. Attackers are getting more selective. They skip the mass-spray campaigns and focus on high-value targets. Mortgage companies sit at the top of that list.

Welcome to part one of The Exploit, a fictional series built on real attack patterns. Every tactic described here has been used against real financial institutions. Take notes. Chad's mistake could be yours.

This is Part 1 of a three-part series. Read Part 2: The Perfect Phish and Part 3: The Clone Trap.

The Setup: How Breaches Start on the Dark Web

It was a quiet Tuesday morning at CYA Finance. Coffee burbled in the corner. Papers shuffled across desks. Nobody suspected a thing.

Chad Meyers, a mid-level operations manager, was halfway through his second cup. His mind drifted between emails and the new craft brewery down by the waterfront. CYA Finance was a solid place to work. Leadership took cybersecurity seriously. Firewalls were in place. Passwords rotated quarterly. Remedial training videos reminded everyone that "cybersecurity is everyone's responsibility."

None of it mattered.

A threat actor called NullGhost had been scanning underground forums and breached credential dumps. This was routine. Just sweeping for low-hanging fruit. That sweep turned up an old database from a defunct webinar platform. Among millions of leaked emails and hashed passwords, one stood out:

chad.m@cyafinance.com

The password hash was weak. Crackable. Within minutes, NullGhost had the plaintext: a variation of the company name and the year Chad got hired.

The Research Phase: Building a Target Profile

NullGhost did not rush. Patient predators rarely do.

A quick social media scan showed Chad had recently posted about closing a major refinance project. Celebration post. Vendor shoutout. A proud mention of hitting quarterly goals.

"Big things coming soon. Couldn't have done it without my team and our awesome partners."

NullGhost dug deeper. A vendor mentioned in comments. A photo at a work happy hour with an ID badge partially visible. A humble brag about moving up from assistant manager the year before. Enough data to build a weaponized profile.

The financial services sector accounts for 27.7% of all phishing attempts. This type of reconnaissance explains why. Attackers do not need zero-day exploits. They need regular people and a little too much public information.

The Lesson Hiding in Plain Sight

This was textbook reconnaissance. The kind companies rarely see coming because the data is not behind a firewall. It sits in the open, scattered across LinkedIn, social platforms, and old breach dumps.

Over 80% of hacking-related breaches involve stolen or weak passwords. The 2025 IBM Cost of a Data Breach Report puts the average breach cost at $4.4 million. For a mid-size mortgage company, that number can be fatal.

And this is how attacks begin. Not with sophisticated code. With people.

How This Could Have Been Avoided

Monitor the dark web for exposed credentials. Professional monitoring services scan breach dumps and underground forums for your company's email domains. They alert you before attackers can act. If CYA Finance had this in place, Chad's compromised credentials would have been flagged and reset weeks before NullGhost found them.

Restrict what employees share online. Social media is a goldmine for attackers. Job titles, vendor relationships, project milestones, and office photos all feed into reconnaissance profiles. Establish clear policies about what company details are off-limits for public posting.

Train employees to think like attackers. That Wi-Fi password on the whiteboard? An ID badge visible in a photo? A "secure" login credential shared between coworkers? Each one is a vector. Train staff to spot these exposures in their daily environment.

Enforce credential hygiene policies. Unique passwords for every platform. Password managers for every employee. Regular audits of credentials tied to your company domain. The FTC Safeguards Rule now requires mortgage lenders to implement multi-factor authentication for anyone accessing customer information. This is not optional.

Prevent It Before It Starts

Chad had no idea his old password was compromised. He did not know his vendor post and job title gave hackers a ready-made target. NullGhost knew. And they were just getting started.

The mortgage industry saw over 47 million Americans' data exposed between 2023 and 2025 across a wave of targeted breaches. LoanDepot lost 16.6 million customer records. Mr. Cooper exposed data dating back to 2001. SitusAMC, a vendor serving JPMorgan Chase, Citi, and Morgan Stanley, was breached in November 2025, exposing mortgage loan data across hundreds of financial institutions.

These attacks share a pattern. They start with leaked credentials or exposed employee information. They escalate through social engineering. They succeed because organizations invest in perimeter defenses while ignoring the human layer.

Proactive prevention beats reactive cleanup. Multi-factor authentication, dark web monitoring, credential rotation, and employee training form the baseline. But they only work when configured, maintained, and monitored continuously.

That is exactly what a managed service provider built for financial institutions does. Mortgage Workspace, backed by Access Business Technologies, serves 750+ financial institutions with a pure Microsoft security stack. No third-party MSP tools that add supply chain risk. Guardian, ABT's control layer, handles tenant hardening, continuous monitoring, and compliance drift detection across the Microsoft 365 environment.

Coming up in Part 2: The Perfect Phish

Someone is about to get an invoice they cannot ignore. And it is not from who they think.

Talk to a Mortgage IT Specialist

Your credentials may already be circulating on the dark web. Contact Mortgage Workspace to assess your exposure and build a defense that starts before the attack does.

Related Articles

Frequently Asked Questions

How do dark web monitoring tools protect mortgage companies from credential theft?

Dark web monitoring tools continuously scan underground forums, auction sites, and breached credential databases for email addresses tied to your company domain. When a match is found, your IT team receives an alert so compromised credentials can be reset before attackers exploit them. For mortgage companies handling sensitive borrower data, this early warning system is a frontline defense against breaches that start with stolen passwords.

What percentage of cyberattacks on financial institutions begin with phishing?

An estimated 91% of cyberattacks begin with a phishing email, and the financial services sector accounts for 27.7% of all phishing attempts globally. For mortgage companies, these attacks frequently appear as business email compromise schemes designed to redirect wire transfers or steal login credentials for loan origination systems. The FBI reported over 859,000 internet crime complaints in 2024 with losses exceeding $16 billion.

Why are mortgage companies high-value targets for cybercriminals?

Mortgage companies store some of the most sensitive personal and financial data available: Social Security numbers, bank account details, tax returns, employment records, and complete credit histories. This data retains value for years. When Mr. Cooper was breached in 2023, attackers accessed records dating back to 2001. The combination of high-value data, complex vendor relationships, and regulatory pressure makes mortgage lenders a prime target.

What does the FTC Safeguards Rule require from mortgage lenders regarding cybersecurity?

The updated FTC Safeguards Rule requires mortgage lenders to designate a qualified individual to oversee security, conduct documented risk assessments, implement multi-factor authentication for all system access, encrypt data at rest and in transit, perform regular penetration testing, and maintain a written incident response plan. Lenders must also report breaches affecting 500 or more consumers to the FTC within 30 days of discovery.
The Exploit: Anatomy of a Modern Cyber Heist Part 2: The Perfect Phish

The Exploit: Anatomy of a Modern Cyber Heist Part 2: The Perfect Phish

Justin Kirsch : May 19, 2025 2:30:00 PM

In this article: The Bait: An Invoice That Looked Right The Hook: A Perfect Clone Behind the Curtain: What Actually Happened How the Phish Got So...

cybersecurity data breach Mortgage Cybersecurity
Read More
The Exploit: Anatomy of a Modern Cyber Heist Part 3 - The Clone Trap

The Exploit: Anatomy of a Modern Cyber Heist Part 3 - The Clone Trap

Justin Kirsch : May 26, 2025 2:30:00 PM

In this article: The Live Proxy: More Than Stolen Credentials Inside the Perimeter: Surgical Precision No Alarms, No Alerts Protecting Your Digital...

cybersecurity data breach Mortgage Cybersecurity
Read More
The Exploit: Anatomy of a Modern Cyber Heist Part 4 - The Quiet Intruder

The Exploit: Anatomy of a Modern Cyber Heist Part 4 - The Quiet Intruder

Justin Kirsch : Jun 2, 2025 8:45:00 AM

BEC attacks cost U.S. businesses $2.8 billion in 2024, according to the FBI's Internet Crime Complaint Center. In Q2 2025, the average wire transfer...

cybersecurity data breach Mortgage Cybersecurity
Read More