Beware Of Credentials Phishing

In a growing trend known as credentials phishing, criminal actors are impersonatimg legitimate brands and services by crafting similar-looking websites where unsuspecting users are then asked enter their account information. 

Once entered, account details are forwarded to the cyber criminals, completely by-passing malware detection software.  From there, those criminals can do what they want, often for years and without being detected. And now with enterprise migration toward cloud-based email and services, credential phishing is more popular than ever. 

The email identity expers at Agari have carried aout a detailed analysis which demonstates just what a succesful attack method credentails phishing can be. In order to better understand the problem, the Agari Cyber Intelligence Division (ACID) seeded over 8,000 phishing sites with credentials under our control and then monitored these accounts to directly observe the actions taken by a cyber criminal post-compromise. 

The Results Were Astonishing

ACID's  research showed that nearly a quarter (23%) of compromised accounts were automatically accessed immediately at the time of compromiseto validate the authenticity of the credentials.  Based on the unique characteristics of the phishing sites and the behavior attributed to account access, we were able to cluster 85% of this auto-validation activity into just three families of attacks, indicating this activity is driven by a very small number of threat actors and/or phishing kits. 

Agari researchers identified a user agent string, BAV2ROPC, that was commonly associated with automated validation activity. This unique user agent string, which is linked to the use of an OAuth 2.0 token, was associated with auto-validation activity more than 90% of the times we saw it. 

Regardless of whether credentials were automatically validated, nearly all of the compromised accounts (92%) were accessed manually by a threat actor. 

Almost one in five accounts (18%) were accessed within the first hour post- compromise, half were accessed within 12 hours of the compromise, and nearly all (91%) of the accounts were accessed within a week after they were compromised. When manually accessing a compromised account, threat actors primarily logged in using a web browser (85%) rather than using an email client that was used in 15% of cases. 

While a majority of compromised accounts were only accessed one time by actors, Agari observed a number of examples where a cyber criminal maintained persistent and continuous access to a compromised account over ectended periods. 

Agari:

You Might Also Read:

Millions Of Compromised Accounts Discovered On The Dark Web:

 

 

« Questions Business Leaders Should Ask Themselves
Worldwide Internet Outage Caused By Single Configuration Error »

CyberSecurity Jobsite
Perimeter 81

Directory of Suppliers

IT Governance

IT Governance

IT Governance is a leading global provider of information security solutions. Download our free guide and find out how ISO 27001 can help protect your organisation's information.

ON-DEMAND WEBINAR: What Is A Next-Generation Firewall (and why does it matter)?

ON-DEMAND WEBINAR: What Is A Next-Generation Firewall (and why does it matter)?

Watch this webinar to hear security experts from Amazon Web Services (AWS) and SANS break down the myths and realities of what an NGFW is, how to use one, and what it can do for your security posture.

Alvacomm

Alvacomm

Alvacomm offers holistic VIP cybersecurity services, providing comprehensive protection against cyber threats. Our solutions include risk assessment, threat detection, incident response.

XYPRO Technology

XYPRO Technology

XYPRO is the market leader in HPE Non-Stop Security, Risk Management and Compliance.

Perimeter 81 / How to Select the Right ZTNA Solution

Perimeter 81 / How to Select the Right ZTNA Solution

Gartner insights into How to Select the Right ZTNA offering. Download this FREE report for a limited time only.

Purdicom

Purdicom

Purdicom (formerly known as Selcoms) is an award winning distributor specialising in Wireless, Cloud & Security technologies.

Westermo Network Technologies

Westermo Network Technologies

Westermo designs and manufactures robust, resilient and secure data communications products for mission-critical industrial systems.

IT Security House

IT Security House

IT Security House is a leading European supplier of Cyber Security Intelligence and eCrime services.

AEI Cybersecurity

AEI Cybersecurity

AEI brings together companies, Research Centres, Universities, and other organizations interested in promoting new cybersecurity technologies.

ClearDATA

ClearDATA

The ClearDATA Managed Cloud protects sensitive healthcare data using purpose-built DevOps automation, compliance and security safeguards, and healthcare expertise.

Cryptosense

Cryptosense

Cryptosense provides the first application security software dedicated to the detection and remediation of crypto vulnerabilities.

DataTribe

DataTribe

DataTribe is a cyber startup foundry, leveraging deep experience and expertise to build and launch successful product companies.

Risk Ledger

Risk Ledger

Risk Ledger is improving the security of the global supply chain ecosystem, reducing the number of data breaches experienced through supply chain attacks by companies and consumers alike.

ADGS

ADGS

ADGS is a deeptech company focused in the fields of Agent-Based simulations (Emergent Behavior), Cybersecurity and Biometrics, Social Dynamics, Natural Language Processing and Artificial Intelligence.

BreachQuest

BreachQuest

BreachQuest brings together cybersecurity experts with decades of experience identifying security flaws, penetrating networks, and responding to incidents.

Liberman Networks

Liberman Networks

Liberman Networks is an IT solutions provider company that provides security, management, monitoring, BDR and cloud solutions.

Stryve

Stryve

Stryve is a leading carbon-neutral provider of specialist cloud and cybersecurity services in Europe.

SideChannel

SideChannel

At SideChannel, we match companies with an expert virtual CISO (vCISO), so your organization can assess cyber risk and ensure cybersecurity compliance.

Infoline Tec Group Berhad

Infoline Tec Group Berhad

Infoline Tec Group Berhad is principally involved in providing IT infrastructure solutions, cybersecurity service provider and solutions, managed IT and other IT services.

Box

Box

Box is the Cloud Content Management company that empowers enterprises to revolutionize how they work by securely connecting their people, information and applications.

SIGLA Group

SIGLA Group

SIGLA Group specialize in the design and development of IT and OT solutions, from analysis to design, from implementation to commissioning, as well as consultancy, training and assistance.