Beware Of Credentials Phishing

Uploaded on 2021-06-14 in TECHNOLOGY--Resilience, FREE TO VIEW

In a growing trend known as credentials phishing, criminal actors are impersonatimg legitimate brands and services by crafting similar-looking websites where unsuspecting users are then asked enter their account information. 

Once entered, account details are forwarded to the cyber criminals, completely by-passing malware detection software.  From there, those criminals can do what they want, often for years and without being detected. And now with enterprise migration toward cloud-based email and services, credential phishing is more popular than ever. 

The email identity expers at Agari have carried aout a detailed analysis which demonstates just what a succesful attack method credentails phishing can be. In order to better understand the problem, the Agari Cyber Intelligence Division (ACID) seeded over 8,000 phishing sites with credentials under our control and then monitored these accounts to directly observe the actions taken by a cyber criminal post-compromise. 

The Results Were Astonishing

ACID's  research showed that nearly a quarter (23%) of compromised accounts were automatically accessed immediately at the time of compromiseto validate the authenticity of the credentials.  Based on the unique characteristics of the phishing sites and the behavior attributed to account access, we were able to cluster 85% of this auto-validation activity into just three families of attacks, indicating this activity is driven by a very small number of threat actors and/or phishing kits. 

Agari researchers identified a user agent string, BAV2ROPC, that was commonly associated with automated validation activity. This unique user agent string, which is linked to the use of an OAuth 2.0 token, was associated with auto-validation activity more than 90% of the times we saw it. 

Regardless of whether credentials were automatically validated, nearly all of the compromised accounts (92%) were accessed manually by a threat actor. 

Almost one in five accounts (18%) were accessed within the first hour post- compromise, half were accessed within 12 hours of the compromise, and nearly all (91%) of the accounts were accessed within a week after they were compromised. When manually accessing a compromised account, threat actors primarily logged in using a web browser (85%) rather than using an email client that was used in 15% of cases. 

While a majority of compromised accounts were only accessed one time by actors, Agari observed a number of examples where a cyber criminal maintained persistent and continuous access to a compromised account over ectended periods. 

Agari:

You Might Also Read:

Millions Of Compromised Accounts Discovered On The Dark Web:

 

 

« Questions Business Leaders Should Ask Themselves
Worldwide Internet Outage Caused By Single Configuration Error »

CyberSecurity Jobsite
Perimeter 81
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Go Cyber

Training that transforms behaviours

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

Syxsense

Syxsense

Syxsense brings together endpoint management and security for greater efficiency and collaboration between IT management and security teams.

Resecurity, Inc.

Resecurity, Inc.

Resecurity is a cybersecurity company that delivers a unified platform for endpoint protection, risk management, and cyber threat intelligence.

CYRIN

CYRIN

CYRIN® Cyber Range. Real Tools, Real Attacks, Real Scenarios. See why leading educational institutions and companies in the U.S. have begun to adopt the CYRIN® system.

Perimeter 81 / How to Select the Right ZTNA Solution

Perimeter 81 / How to Select the Right ZTNA Solution

Gartner insights into How to Select the Right ZTNA offering. Download this FREE report for a limited time only.

CSI Consulting Services

CSI Consulting Services

Get Advice From The Experts: * Training * Penetration Testing * Data Governance * GDPR Compliance. Connecting you to the best in the business.

Securosis

Securosis

Securosis is an information security research and advisory firm dedicated to improving the practice of information security.

Cato Networks

Cato Networks

Cato connects your branch locations, physical and cloud datacenters, and mobile users into a secure and optimized global network in the cloud.

ControlScan

ControlScan

ControlScan is a Managed Security Services Provider (MSSP) - our primary focus is protecting your business and securing your sensitive data.

DataSunrise

DataSunrise

DataSunrise Data-Centric high-performance security software protects the sensitive data in real-time in cloud or on premises, and helps organizations to stay compliant.

CSI

CSI

CSI is a Managed Service Provider (MSP) delivering Hybrid Multi-Cloud, Data Protection, and Cyber Security solutions to highly regulated industries.

Radiflow

Radiflow

Radiflow is a leading provider of cyber security solutions for critical infrastructure networks (i.e. SCADA), such as power utilities, oil & gas, water and others.

Fyde

Fyde

Fyde helps companies with an increasingly distributed workforce mitigate breach risk by enabling secure access to critical enterprise resources.

RFA

RFA

RFA is a unique IT, financial cloud and managed cyber-security provider to the financial services and alternative investment sectors.

AUREA Technology

AUREA Technology

The photon counter SPD_OEM_NIR from AUREA Technology is designed for quantum key distribution at telecom wavelengths.

FYEO

FYEO

FYEO is a threat monitoring and identity access management platform for consumers, enterprises and SMBs.

Xiarch Solutions

Xiarch Solutions

Xiarch Security is an global security firm that educates clients, identifies security risks, informs intelligent business decisions, and enables you to reduce your attack surface.

MailChannels

MailChannels

MailChannels protects companies against malicious email threats. Used by 750+ hosting providers around the world.

AI Spera

AI Spera

AI-Driven Cyber Threat Intelligence Security. AI Spera provides real-time intelligence to empower your security competences in all aspects of the business.

Venticento

Venticento

Venticento is an IT company specialized in consulting and network support and assistance for companies that need to make their business processes more effective.

US Cyber Games

US Cyber Games

US Cyber Games is committed to inform and inspire the broader community on ways to develop tomorrow’s cybersecurity workforce.

SecureAck

SecureAck

From our A-Op SaaS automation platform to Managed Automation-as-a-Service (MAaaS), SecureAck offer powerful security automation the way that best suits your organisation's needs.