Agari made the observations after a six-month-long investigation of more than 8,000 credential phishing sites impersonating Microsoft Account, Microsoft Office 365, and Adobe Document Cloud sites.
Hackers accessed half of all compromised accounts within 12 hours, according to Agari cyber defense firm. Additionally, the firm noted that threat actors accessed more than nine out of ten compromised accounts within the first seven days.
Threat actors accessed compromised accounts almost immediately
Threat actors accessed 91% of compromised accounts within seven days, according to Agari cyber intelligence division (ACID).
Nearly a fifth (18%) of the compromised accounts were accessed within 1 hour, 40% within six hours, and 50% within the first 12 hours. The team also discovered activity in 40% of all compromised accounts within six months.
– Advertisement –
However, hackers accessed 64% of the compromised accounts only once, while some were accessed repeatedly over time.
“In fact, one account was accessed 94 times over a four-and-a-half-month period, a great example of the persistent and continuous access cybercriminals maintain on compromised email accounts,” the report authors noted.
Agari researchers also discovered that close to a quarter (23%) of credential phishing sites used automated credential validation techniques. Contrarily, 92% of compromised accounts were manually accessed by threat actors regardless of whether they were automatically validated or not.
Consequently, the researchers suggested that most automated credential validation sites were created using the same kits.
“Notably, a vast majority of this auto-validation activity came from a small number of phishing site families—phishing sites that are linked to each other based on similar unique characteristics.” More than a third of auto-validation activities were linked to a Russian address 2a00:1838:2a:1505:c267:afff:fe70:f4de.
Some were also linked to phishing kits developed by a threat actor named “MIRCBOOT.” The threat actor sells logs for prices ranging between $8 and $100 depending on the country. The hacker had advertised the kits on telegram channels and a Russian-speaking hacking forum. Threat actors use compromised accounts for business email compromise
The investigation discovered that attackers tried to identify high-value targets with access to a company’s financial information or payment system after gaining access to the compromised accounts. Using these accounts, they could pinpoint vendors and send convincing credential phishing messages and BEC attacks.
“Business email compromise (BEC) remains the most prevalent threat in email security, and when cyber criminals gain access to legitimate email accounts, the problem is magnified,” noted Agari founder and HelpSystems executive strategy director Patrick Peterson. Scammers also created forwarding rules to view incoming and outgoing messages. They also leveraged other applications such as Microsoft OneDrive and Microsoft Teams to create BEC credential phishing infrastructure.
Additionally, they used compromised accounts “to register for a variety services that will allow them to perform reconnaissance and lead generation, deliver emails, host malicious pages, or create malicious documents.”
The News Highlights
- Within a week, hackers gained access to 91 percent of compromised accounts and used them to send bulk credential phishing messages
- Check the latest update on Security news
For Latest News Follow us on Google News
- Show all
- Trending News
- Popular By week