Half of accounts compromised in phishing attacks are manually accessed within 12 hours of the username and password being leaked, as cyber criminals look to exploit stolen credentials as quickly as possible.
Cybersecurity researchers at Agari planted thousands of credentials – that were made to look like they belonged to real users, but were in fact of under the control of the researchers – onto websites and forums popular for dumping stolen usernames and passwords.
The false credentials – seeded over the course of six months – were designed to look like compromised logins for well-known cloud software applications.
SEE: Network security policy (TechRepublic Premium)
Researchers found that the accounts are actively accessed within hours of the login credentials being posted online on phishing websites and forums.
“About half of of the accounts were accessed within 12 hours of us actually seeding the sites. 20% are accessed within an hour and 40% are accessed within six hours. That really shows you how quickly a compromised account is exploited,” Crane Hassold, senior director of threat research at Agari, told ZDNet.
Almost all of the accounts were accessed manually. That might be a mundane task, but it ultimately proves useful for cyber criminals as they can accurately test if the credentials do really work.
“It’s a pretty tedious process I’m sure on their end, but they’re getting a lot of good information from it and they’re using the accounts in a variety of different ways for different types of malicious activity,” said Hassold.
For example, by accessing an account, an attacker can attempt to find sensitive information in people’s email inboxes, or even their cloud storage software, which could be stolen and either used to help further attacks or sold on.
There’s also the possibility that the attackers could use the compromised accounts to conduct other attacks, such as phishing or business email compromise (BEC) attacks, using the compromised account in order to launch further campaigns.
One attacker attempted to use a compromised account to conduct BEC attacks against the real estate sector, launching emails that would have attempted to redirect victims to a website to steal login details of real estate companies. However, in this case, because the fake credentials were controlled by researchers, none of the attempted emails actually arrived at their intended destinations.
However, it demonstrates how cyber criminals take compromised credentials and attempt to exploit them in order to gain access to additional accounts.
“Where you have credential phishing, it leads to a compromised account, which leads to more credential-phishing campaigns, which leads to more compromised accounts and so on,” said Hassold.
While compromised accounts are accessed quickly, the research found that they’re often abandoned after about a week – although by this time it’s likely that’s because the attackers have moved onto other accounts, perhaps after using the initial account as a stepping stone to get there.
Organisations can take precautions to defend their users, cloud applications and the wider network from phishing and other attacks. One of these is having appropriate defences in place, like antivirus software or a spam filter.
Meanwhile, using multi-factor authentication can help prevent compromised accounts from being exploited, as it makes it much harder for an attacker to use – while also alerting the victim that something is wrong.