Beware Of Credentials Phishing

In a growing trend known as credentials phishing, criminal actors are impersonatimg legitimate brands and services by crafting similar-looking websites where unsuspecting users are then asked enter their account information. 

Once entered, account details are forwarded to the cyber criminals, completely by-passing malware detection software.  From there, those criminals can do what they want, often for years and without being detected. And now with enterprise migration toward cloud-based email and services, credential phishing is more popular than ever. 

The email identity expers at Agari have carried aout a detailed analysis which demonstates just what a succesful attack method credentails phishing can be. In order to better understand the problem, the Agari Cyber Intelligence Division (ACID) seeded over 8,000 phishing sites with credentials under our control and then monitored these accounts to directly observe the actions taken by a cyber criminal post-compromise. 

The Results Were Astonishing

ACID's  research showed that nearly a quarter (23%) of compromised accounts were automatically accessed immediately at the time of compromiseto validate the authenticity of the credentials.  Based on the unique characteristics of the phishing sites and the behavior attributed to account access, we were able to cluster 85% of this auto-validation activity into just three families of attacks, indicating this activity is driven by a very small number of threat actors and/or phishing kits. 

Agari researchers identified a user agent string, BAV2ROPC, that was commonly associated with automated validation activity. This unique user agent string, which is linked to the use of an OAuth 2.0 token, was associated with auto-validation activity more than 90% of the times we saw it. 

Regardless of whether credentials were automatically validated, nearly all of the compromised accounts (92%) were accessed manually by a threat actor. 

Almost one in five accounts (18%) were accessed within the first hour post- compromise, half were accessed within 12 hours of the compromise, and nearly all (91%) of the accounts were accessed within a week after they were compromised. When manually accessing a compromised account, threat actors primarily logged in using a web browser (85%) rather than using an email client that was used in 15% of cases. 

While a majority of compromised accounts were only accessed one time by actors, Agari observed a number of examples where a cyber criminal maintained persistent and continuous access to a compromised account over ectended periods. 

Agari:

You Might Also Read:

Millions Of Compromised Accounts Discovered On The Dark Web:

 

 

« Questions Business Leaders Should Ask Themselves
Worldwide Internet Outage Caused By Single Configuration Error »

Perimeter 81

Directory of Suppliers

Perimeter 81

Perimeter 81

Perimeter 81 is a Zero Trust Network as a Service designed to simplify secure network, cloud and application access for the modern and distributed workforce.

Clayden Law

Clayden Law

Clayden Law are experts in information technology, data privacy and cybersecurity law.

Jooble

Jooble

Jooble is a job search aggregator operating in 71 countries worldwide. We simplify the job search process by displaying active job ads from major job boards and career sites across the internet.

BackupVault

BackupVault

BackupVault is a leading provider of completely automatic, fully encrypted online, cloud backup.

Practice Labs

Practice Labs

Practice Labs is an IT competency hub, where live-lab environments give access to real equipment for hands-on practice of essential cybersecurity skills.

DigitalStakeout

DigitalStakeout

A simple and cost-effective solution to monitor, investigate and analyze data from the web, social media and cyber sources to identify threats and make better security decisions.

ZenGRC

ZenGRC

ZenGRC - the first, easy-to-use, enterprise-grade information security solution for compliance and risk management - offers businesses efficient control tracking, testing, and enforcement.

Booz Allen Hamilton

Booz Allen Hamilton

Booz Allen Hamilton is a management & tech consulting firm. Technology services include cloud computing, cyber security, systems development and integration.

MobileIron

MobileIron

MobileIron provides EMM capabilities to IT organizations that need to secure mobile devices, applications and content.

CERT-EU

CERT-EU

CERT-EU is a permanent Computer Emergency Response Team for the EU institutions, agencies and bodies.

Avatu

Avatu

Avatu specialise in providing clients the advice, technology and tools they need to fight cyber and insider threats.

AcceptLocal

AcceptLocal

AcceptLocal is a payments industry consultancy with expertise in payment processing, payment security, anti-money laundering and fraud prevention.

Wibu-Systems

Wibu-Systems

Wibu-Systems is a leading provider of solutions for the Digital Rights Management (DRM) and anti-piracy industry.

MACH37

MACH37

MACH37 is a market-centric cybersecurity accelerator program designed to facilitate the creation of the next generation of cybersecurity product companies.

Enosys Solutions

Enosys Solutions

Enosys Solutions is an IT security specialist with a skilled professional services team and 24x7 security operations centre servicing corporate and public sector organisations across Australia.

Utility Cyber Security Forum

Utility Cyber Security Forum

The Utility Cyber Security Forum offers a focused venue in which utility executives can network one-on-one with colleagues facing issues in protecting against cyber attacks.

Vijilan Security

Vijilan Security

Vijilan provides 24/7 SOC services to MSPs/VARs. Our Security Operations Center is global, and our services are exclusive to the Channel.

Netenrich

Netenrich

The Netenrich operations intelligence platform is built from the ground up to help enterprises resolve everyday and futuristic problems for stable, secure environments and infrastructures.