Security researchers at Agari’s Cyber Intelligence Division completed a six-month investigation into compromised e-mail accounts. Thus, showcasing how threat actors use credential phishing sites to gather passwords, and what they do with them post-compromise. To uncover the cybercriminal’s tactics, they seeded more than 8,000 phishing sites with fake credentials and monitored what happened next.
Spoofed Websites Linked to BEC Schemes
In a growing trend, scammers impersonate legitimate brands and services by crafting similar looking websites. By using the brand’s name, logo and company colors they trick visitors into trusting the spoofed page. When unsuspecting users enter their credentials or personally identifiable information, their details are forwarded to cybercriminals. Next, the scammers can do what they want.
The technique is rapidly becoming a key part of Business email compromise (BEC) scams. “We know that business email compromise and credential phishing are linked”, said Agari’s cyber experts in their white paper, titled the Anatomy of a Compromised Account. “And now, with enterprise migration toward cloud-based email and services, credential phishing is more popular than ever.”
BEC scams aren’t new, but they do spin a better story than Nigerian princes or an unexpected inheritance. To uncover the pathways leading from credential phishing to compromised accounts, Agari decided to follow the trail. They entered unique sets of fake credentials into more than 8,000 phishing sites. Some of these were mimicking Microsoft Accounts and Microsoft Office 365. Others pretended to be Adobe Document Cloud login screens.
Six Month Investigation
After successfully submitting these unique sets of credentials, the team simply monitored the actions of the criminals seeking access to the accounts. As they used unique sets of credentials, the researchers were able to link individual phishing attacks to specific actors and their post-compromise actions. This way, they were able to unobtrusively trace and understand the lifecycle of compromised accounts.
“Of the phishing sites where we planted credentials, we detected activity in nearly 40% of our compromised accounts. The activity in those accounts allowed us to gain the insights into what cybercriminals do with an email account after they have stolen the credentials as part of a phishing attack”, states Patrick Peterson, founder of Agari and executive strategy director at HelpSystems.
Some of the statistics are quite astonishing.
- Threat actors accessed 91% of all accounts manually within the first week.
- They even accessed half of compromised accounts within the first 12 hours.
- 23% of phishing sites used automated account validation techniques.
- Threat actors were located in 44 countries worldwide, with 47% in Nigeria.
Tricks of the Trade
In one case, a threat actor used a compromised account to upload two financial documents to the associated OneDrive account. The first document being a rental balance sheet, the second included wire instructions for their bank account. “Based on the content of these documents, it’s likely that they were intended to be used as part of a BEC attack, presumably one impersonating the real estate investment trust and targeting the senior living community operator, trying to trick them into paying more than $200,000 in outstanding rent.”
In another example, cybercriminals targeted employees at real estate or title companies in the US. They used an email that appeared to come from a US-based financial services company that offers title insurance for real estate transactions. “When targets opened the email, they were encouraged to view a secure message, which sent them to a webpage mimicking the company’s actual homepage.” From there, the scammers tried to trick the potential victim into viewing additional documents. And asked them to enter their account information—leading to the compromise.
The examples uncover the growing scale of the issue. “[It] shows the self-fulfilling growth cycle, where credential phishing attacks lead to compromised accounts, which lead to more credential phishing attacks and more compromised accounts, and so on”, continues Peterson. “Without measures in place to protect against BEC and account takeover-based attacks, the problem will only continue. Only by preventing the first compromise can we suppress BEC at an early stage.”
One of the Most Financially Damaging Online Crimes
According to the FBI business email compromise, also known as email account compromise, is one of the most financially damaging online crimes. Between January 2014 and October 2019, the FBI’s Internet Crime Complaint Center (IC3) received complaints totaling more than $2.1 billion in actual losses. All as a result of BEC scams.
While most cloud-based email services have security features that can help prevent BEC, users often have to configure and enable these manually. “Nonetheless, users can better protect themselves from BEC by taking advantage of the full spectrum of protections that are available”, said the FBI in a security alert.
Depending upon the provider, cloud-based email services may provide additional security features, like advanced phishing protection or multi-factor authentication. To help our readers, we’ve made a simple 8-step guide people can follow to better protect themselves when online. Most of these tips and tricks are useful for computers, tablets, and smartphones.