June 16, 2021
New research from phishing defense company Agari found that criminals don’t wait after they compromise accounts in phishing attacks. Agari researchers found that 23% of all accounts were accessed almost immediately and 50% of the accounts were accessed manually within 12 hours after compromise, according to the Anatomy of a Compromised Account report.
Above: Percentage of compromised accounts manually accessed over time.
Image Credit: Agari
In order to better understand what happens after an enterprise email account is compromised, the Agari Cyber Intelligence Division (ACID) seeded more than 8,000 phishing sites with credentials under their control and then monitored the accounts to directly observe the actions cybercriminals took post-compromise. Nearly 20% of accounts were accessed within the first hour post-compromise, and 91% were accessed manually within the first week, demonstrating the speed at which compromised accounts are exploited. Initial scanning appeared to be automated, perhaps to verify that the stolen credentials actually worked.
The criminals impersonated Microsoft OneDrive, Office 365, SharePoint, Adobe Document Cloud, or just “Microsoft,” according to Agari. Once attackers gained access to the compromised accounts, they appeared to try to identify high-value targets with access to a company’s financial information or payment system.
Highlighting the global footprint of the problem of business email compromise (BEC), Agari identified cybercriminals located in 44 countries around the world that had accessed compromised accounts, with 47% located in Nigeria. The ACID team was also able to directly observe the different ways cybercriminals exploited compromised accounts, including creating mailbox rules to collect intelligence, pivoting to other applications to search for and host malicious documents, setting up new infrastructure for future BEC attacks, and sending massive phishing campaigns targeting multiple industries.
No comments:
Post a Comment