Beware Of Credentials Phishing

Uploaded on 2021-06-14 in TECHNOLOGY--Resilience, FREE TO VIEW

In a growing trend known as credentials phishing, criminal actors are impersonatimg legitimate brands and services by crafting similar-looking websites where unsuspecting users are then asked enter their account information. 

Once entered, account details are forwarded to the cyber criminals, completely by-passing malware detection software.  From there, those criminals can do what they want, often for years and without being detected. And now with enterprise migration toward cloud-based email and services, credential phishing is more popular than ever. 

The email identity expers at Agari have carried aout a detailed analysis which demonstates just what a succesful attack method credentails phishing can be. In order to better understand the problem, the Agari Cyber Intelligence Division (ACID) seeded over 8,000 phishing sites with credentials under our control and then monitored these accounts to directly observe the actions taken by a cyber criminal post-compromise. 

The Results Were Astonishing

ACID's  research showed that nearly a quarter (23%) of compromised accounts were automatically accessed immediately at the time of compromiseto validate the authenticity of the credentials.  Based on the unique characteristics of the phishing sites and the behavior attributed to account access, we were able to cluster 85% of this auto-validation activity into just three families of attacks, indicating this activity is driven by a very small number of threat actors and/or phishing kits. 

Agari researchers identified a user agent string, BAV2ROPC, that was commonly associated with automated validation activity. This unique user agent string, which is linked to the use of an OAuth 2.0 token, was associated with auto-validation activity more than 90% of the times we saw it. 

Regardless of whether credentials were automatically validated, nearly all of the compromised accounts (92%) were accessed manually by a threat actor. 

Almost one in five accounts (18%) were accessed within the first hour post- compromise, half were accessed within 12 hours of the compromise, and nearly all (91%) of the accounts were accessed within a week after they were compromised. When manually accessing a compromised account, threat actors primarily logged in using a web browser (85%) rather than using an email client that was used in 15% of cases. 

While a majority of compromised accounts were only accessed one time by actors, Agari observed a number of examples where a cyber criminal maintained persistent and continuous access to a compromised account over ectended periods. 

Agari:

You Might Also Read:

Millions Of Compromised Accounts Discovered On The Dark Web:

 

 

« Questions Business Leaders Should Ask Themselves
Worldwide Internet Outage Caused By Single Configuration Error »

CyberSecurity Jobsite
Perimeter 81
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Go Cyber

Training that transforms behaviours

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

LockLizard

LockLizard

Locklizard provides PDF DRM software that protects PDF documents from unauthorized access and misuse. Share and sell documents securely - prevent document leakage, sharing and piracy.

DigitalStakeout

DigitalStakeout

DigitalStakeout enables cyber security professionals to reduce cyber risk to their organization with proactive security solutions, providing immediate improvement in security posture and ROI.

ManageEngine

ManageEngine

As the IT management division of Zoho Corporation, ManageEngine prioritizes flexible solutions that work for all businesses, regardless of size or budget.

CYRIN

CYRIN

CYRIN® Cyber Range. Real Tools, Real Attacks, Real Scenarios. See why leading educational institutions and companies in the U.S. have begun to adopt the CYRIN® system.

Alvacomm

Alvacomm

Alvacomm offers holistic VIP cybersecurity services, providing comprehensive protection against cyber threats. Our solutions include risk assessment, threat detection, incident response.

AdNovum Informatik

AdNovum Informatik

AdNovum Informatik provides a full set of IT services, ranging from consulting, the conception and implementation of customized business and security solutions to maintenance and support.

Zanasi & Partners

Zanasi & Partners

Zanasi & Partners is a security research and advisory company active in the EU and MENA areas. Services focus on technology solutions.

Focal Point Data Risk

Focal Point Data Risk

Focal Point is a pure-play data risk management provider capable of offering end-to-end consulting, implementation, and training services.

herdProtect

herdProtect

herdProtect is a second line of defense malware scanning platform powered by 68 anti-malware engines in the cloud.

OneTrust

OneTrust

OneTrust is the largest and most widely used technology platform to operationalize privacy, security and third-party risk management.

Indeed

Indeed

Indeed is a worldwide employment-related search engine for job listings covering job types in all industries, including cybersecurity.

AppGuard

AppGuard

AppGuard prevents breaches by blocking applications from performing inappropriate processes using our patented dynamic isolation and inheritance technologies.

Ensconce Data Technology (EDT)

Ensconce Data Technology (EDT)

EDT’s focus is on providing solutions to properly sanitize Solid State Drives (SSD) and Magnetic Drives (HDD) before they are disposed or redeployed.

Guardian Data Destruction

Guardian Data Destruction

Guardian Data Destruction provides a comprehensive suite of onsite e-data destruction services.

ControlMap

ControlMap

ControlMap is a software as a service platform with a mission to simplify and eliminate stress from everyday operations of modern IT compliance teams.

Packetlabs

Packetlabs

Packetlabs specializes in penetration testing services and application security.

Detego Global

Detego Global

Detego Global are the creators of the Detego® Unified Digital Forensics Platform, a suite of modular tools used globally by military, law enforcement and intelligence agencies, and enterprises.

Segra

Segra

Segra owns and operates one of the nation’s largest fiber networks and provides best-in-class broadband and data security solutions throughout the Southeast and Mid-Atlantic.

The Purple Guys

The Purple Guys

The Purple Guys offer Trouble-Free IT Support to businesses across the Central and Southern US. Safe and Secure, Rapid Response, Friendly Support that’s our Purple Promise.

CyberCure

CyberCure

CyberCure provide specialised roles and services to manage your organisations cybersecurity requirements and professional advisory services in governance, risk and compliance.

AppSOC

AppSOC

AppSOC is a leader in Application Security Posture Management (ASPM) and Code-to-Cloud Vulnerability Management.