Hackers accessed half of all compromised accounts within 12 hours, according to Agari cyber defense firm. Additionally, the firm noted that threat actors accessed more than nine out of ten compromised accounts within the first seven days.
Agari made the observations after a six-month-long investigation of more than 8,000 credential phishing sites impersonating Microsoft Account, Microsoft Office 365, and Adobe Document Cloud sites.
Threat actors accessed compromised accounts almost immediately
Threat actors accessed 91% of compromised accounts within seven days, according to Agari cyber intelligence division (ACID).
Nearly a fifth (18%) of the compromised accounts were accessed within 1 hour, 40% within six hours, and 50% within the first 12 hours. The team also discovered activity in 40% of all compromised accounts within six months.
However, hackers accessed 64% of the compromised accounts only once, while some were accessed repeatedly over time.
“In fact, one account was accessed 94 times over a four-and-a-half-month period, a great example of the persistent and continuous access cybercriminals maintain on compromised email accounts,” the report authors noted.
Agari researchers also discovered that close to a quarter (23%) of credential phishing sites used automated credential validation techniques. Contrarily, 92% of compromised accounts were manually accessed by threat actors regardless of whether they were automatically validated or not.
Consequently, the researchers suggested that most automated credential validation sites were created using the same kits.
“Notably, a vast majority of this auto-validation activity came from a small number of phishing site families—phishing sites that are linked to each other based on similar unique characteristics.”
More than a third of auto-validation activities were linked to a Russian address 2a00:1838:2a:1505:c267:afff:fe70:f4de.
Some were also linked to phishing kits developed by a threat actor named “MIRCBOOT.” The threat actor sells logs for prices ranging between $8 and $100 depending on the country. The hacker had advertised the kits on telegram channels and a Russian-speaking hacking forum.
Threat actors use compromised accounts for business email compromise
The investigation discovered that attackers tried to identify high-value targets with access to a company’s financial information or payment system after gaining access to the compromised accounts. Using these accounts, they could pinpoint vendors and send convincing credential phishing messages and BEC attacks.
“Business email compromise (BEC) remains the most prevalent threat in email security, and when cyber criminals gain access to legitimate email accounts, the problem is magnified,” noted Agari founder and HelpSystems executive strategy director Patrick Peterson.
Scammers also created forwarding rules to view incoming and outgoing messages. They also leveraged other applications such as Microsoft OneDrive and Microsoft Teams to create BEC credential phishing infrastructure.
Additionally, they used compromised accounts “to register for a variety [of] services that will allow them to perform reconnaissance and lead generation, deliver emails, host malicious pages, or create malicious documents.”
They also used file-hosting applications to upload fake files such as invoices which, were subsequently used for credential phishing attacks and fraud.
Further, ACID researchers discovered that the threat actors also used compromised accounts to register for additional software to run their scams.
Hackers tried to send bulk credential phishing emails using compromised accounts
After gaining access, the scammers used the compromised accounts to send bulk credential phishing emails.
In one instance, scammers tried to send 6,500 emails to companies dealing in the real estate, mortgage, and financial sectors. Another group attempted to send 4,800 emails impersonating the French banking service Credit du Nord.
Similarly, a scammer posed as an account payable specialist and attempted to send 7,300 credential phishing emails. In another case, scammers sent 12,000 messages within two hours to real estate title companies.
Nearly half of all compromised account users are located in Nigeria
The Anatomy of a Compromised Account report also found that threat actors using compromised accounts residing in 44 countries. However, nearly half (47%) were located in a single African country, Nigeria.
Other popular locations were the United States, South Africa, the United Arab Emirates, the United Kingdom, and Turkey.
However, the researchers noted that “while Nigeria may be the primary location for users of compromised credentials, it’s likely not the primary place for actors responsible for the initial compromise via phishing schemes.” This is because most initial access threat actors live in Eastern European countries.
With work from home becoming the new normal, credential phishing attacks will only increase. Between February and April 2020, Agari reported a 3,000% increase in credential phishing attacks.