Beware Of Credentials Phishing

Uploaded on 2021-06-14 in TECHNOLOGY--Resilience, FREE TO VIEW

In a growing trend known as credentials phishing, criminal actors are impersonatimg legitimate brands and services by crafting similar-looking websites where unsuspecting users are then asked enter their account information. 

Once entered, account details are forwarded to the cyber criminals, completely by-passing malware detection software.  From there, those criminals can do what they want, often for years and without being detected. And now with enterprise migration toward cloud-based email and services, credential phishing is more popular than ever. 

The email identity expers at Agari have carried aout a detailed analysis which demonstates just what a succesful attack method credentails phishing can be. In order to better understand the problem, the Agari Cyber Intelligence Division (ACID) seeded over 8,000 phishing sites with credentials under our control and then monitored these accounts to directly observe the actions taken by a cyber criminal post-compromise. 

The Results Were Astonishing

ACID's  research showed that nearly a quarter (23%) of compromised accounts were automatically accessed immediately at the time of compromiseto validate the authenticity of the credentials.  Based on the unique characteristics of the phishing sites and the behavior attributed to account access, we were able to cluster 85% of this auto-validation activity into just three families of attacks, indicating this activity is driven by a very small number of threat actors and/or phishing kits. 

Agari researchers identified a user agent string, BAV2ROPC, that was commonly associated with automated validation activity. This unique user agent string, which is linked to the use of an OAuth 2.0 token, was associated with auto-validation activity more than 90% of the times we saw it. 

Regardless of whether credentials were automatically validated, nearly all of the compromised accounts (92%) were accessed manually by a threat actor. 

Almost one in five accounts (18%) were accessed within the first hour post- compromise, half were accessed within 12 hours of the compromise, and nearly all (91%) of the accounts were accessed within a week after they were compromised. When manually accessing a compromised account, threat actors primarily logged in using a web browser (85%) rather than using an email client that was used in 15% of cases. 

While a majority of compromised accounts were only accessed one time by actors, Agari observed a number of examples where a cyber criminal maintained persistent and continuous access to a compromised account over ectended periods. 

Agari:

You Might Also Read:

Millions Of Compromised Accounts Discovered On The Dark Web:

 

 

« Questions Business Leaders Should Ask Themselves
Worldwide Internet Outage Caused By Single Configuration Error »

Infosecurity Europe
CyberSecurity Jobsite
Perimeter 81
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

Resecurity

Resecurity

Resecurity is a cybersecurity company that delivers a unified platform for endpoint protection, risk management, and cyber threat intelligence.

Infosecurity Europe, 3-5 June 2025, ExCel London

Infosecurity Europe, 3-5 June 2025, ExCel London

This year, Infosecurity Europe marks 30 years of bringing the global cybersecurity community together to further our joint mission of Building a Safer Cyber World.

Authentic8

Authentic8

Authentic8 transforms how organizations secure and control the use of the web with Silo, its patented cloud browser.

IT Governance

IT Governance

IT Governance is a leading global provider of information security solutions. Download our free guide and find out how ISO 27001 can help protect your organisation's information.

CSI Consulting Services

CSI Consulting Services

Get Advice From The Experts: * Training * Penetration Testing * Data Governance * GDPR Compliance. Connecting you to the best in the business.

Cyber Threat Intelligence Network (CTIN)

Cyber Threat Intelligence Network (CTIN)

CTIN provides cyber threat intelligence services including training, platform evaluation, ISAC/ISAO systems development and counter botnet operations.

Visa

Visa

Visa is a global payments technology company that connects consumers, businesses and banks in more than 200 countries and territories worldwide.

AVG Technologies

AVG Technologies

AVG is focused on providing home and business computer users with the most comprehensive and proactive protection against computer security threats.

Fiserv

Fiserv

Fiserv offers a wide array of Risk & Compliance solutions to help you prevent losses from fraud and ensure adherence to regulatory and compliance mandates.

Secureframe

Secureframe

Companies from startups to enterprises use Secureframe to automate SOC 2 and ISO 27001 compliance, complete audits, and continuously monitor their security.

Noblis

Noblis

Noblis is a dynamic science, technology, and strategy organization dedicated to creating forward-thinking technical and advisory solutions in the public interest.

Enea

Enea

Enea is one of the world’s leading specialists in software for telecommunications and cybersecurity. Our products are used to enable services for mobile subscribers, enterprise customers and IoT.

Abertay cyberQuarter

Abertay cyberQuarter

The Abertay cyberQuarter is a cybersecurity research and development centre housed within Abertay University.

inWebo

inWebo

inWebo is the specialist in multi-factor strong authentication (MFA). We guarantee the security of data and identities in a digital world with increasingly important economic and political stakes.

GreenPages Technology Solutions

GreenPages Technology Solutions

GreenPages provide expert strategic guidance and proven cloud-era solutions for our clients. Every day we help organizations leverage the cloud securely with less risk and cost.

Communications Fraud Control Association (CFCA)

Communications Fraud Control Association (CFCA)

CFCA is the premier International Association for fraud risk management, fraud prevention and profitability control.

Lakera

Lakera

Lakera empowers developers and organizations to build GenAI applications without worrying about AI security risks.

PingSafe

PingSafe

PingSafe is creating the next-generation cloud security platform powered by attackers' intelligence, providing coverage for vulnerabilities that traditional security solutions would otherwise overlook

Arculus Cyber Security

Arculus Cyber Security

Arculus Cyber Security enables customers to securely realise the benefits of digital transformation through pragmatic solutions, guidance and services.

CyberGrape

CyberGrape

CyberGrape is a client centric managed services company, providing enterprise leading security solutions and helping companies through their IT risk and security challenges.

Skylark

Skylark

Skylark is a leading global IT services provider, transforming client’s businesses through innovative and advanced technology solutions.