Credential harvesting

How it works

A harvesting page copies a brand login screen and captures whatever the victim types, sometimes relaying it to the real site in real time to defeat multi-factor authentication. The stolen credentials are then used directly, sold, or fed into credential-stuffing tools against other services.

These pages are mass-produced with phishing kits and hosted on lookalike or compromised domains.

How it relates to brand impersonation

Credential harvesting is the payoff of most brand-impersonation phishing: your login page, faked, to steal your customers access. Taking the page down stops the collection.

How nebty helps

nebty detects harvesting pages impersonating your login and takes them down on demand, with blacklisting in parallel so users are warned during the takedown.

Why MFA is not a complete answer

Harvesting used to be simple: a fake login captured a username and password, and turning on multi-factor authentication largely defeated reuse of what was stolen. Attackers adapted. Modern harvesting kits relay the login to the real site in real time, so the victim completes the genuine MFA step and the kit captures the resulting session token, which logs the attacker in with MFA already satisfied. That is why phishing-resistant methods like passkeys and hardware keys matter, since they bind the login to the real domain and will not authenticate against a lookalike. For everyone else, the page itself is the weak point: it lives on a lookalike or compromised domain that monitoring can detect, and taking it down, with blacklisting in parallel, stops the collection regardless of which MFA the victims were using.