Despite stricter regulations over data protection globally, protecting user data has become increasingly essential. Ever wondered what happens to compromised accounts, how your leaked data is used by cybercriminals, or where it all goes? To answer these pertinent questions, email security solutions provider Agari conducted a survey to determine how attackers use credential phishing sites to pilfer passwords and how they exploit them post-compromise.
The survey “Anatomy of a Compromised Account” revealed that 50% of compromised accounts in phishing attacks are accessed within 12 hours. It also found that cybercriminals try to exploit the stolen credentials as quickly as possible. In its six-month investigation, the Agari Cyber Intelligence Division (ACID) deployed more than 8,000 phishing sites mimicking popular brands such as Microsoft Account, Microsoft Office 365, and Adobe Document Cloud login screens. After submitting the login credentials, the research team linked individual phishing attacks to specific actors and their post-compromise actions to understand the lifecycle of the compromised account.
- One in five accounts were accessed within the first-hour post-compromise.
- Over 91% of all accounts were manually accessed by threat actors within the first week.
- Scammers were located in 44 countries worldwide, with 47% in Nigeria.
- Nearly a quarter of compromised accounts were automatically accessed at the time of compromise to validate the authenticity of the credentials.
How Attackers Exploit Compromised Accounts
Threat actors created fake applications including Microsoft OneDrive and Microsoft Teams to send phishing emails to targeted users and use the compromised accounts to set up additional Business Email Compromise (BEC) infrastructure. The research team claimed that scammers gained access to the compromised accounts to send vendor scam emails to high-profile employees who have access to the company’s financial information. The hacked accounts were also used for sending malicious emails and using the accounts to register for additional software to run their scams.
“Business email compromise or BEC remains the most prevalent threat in email security, and when cybercriminals gain access to legitimate email accounts, the problem is magnified. This research provides key insights into how cybercriminals use these accounts and underscores the importance of securing your email environment against credential phishing attacks from the beginning,” said Patrick Peterson, founder of Agari.
Scammers Found Using Compromised Credentials
The researchers stated that they have detected the actual location of cybercriminals associated with 41% of the compromised accounts. Most scammers are located in places like Eastern Europe, Russia, or North Africa. While Nigeria may be the primary location for users of compromised credentials, the second-most common location was the U.S., followed by South Africa, the UAE, the U.K., and Turkey.
BEC attacks are increasing exponentially. It is a severe security concern for organizations without proper security measures in place to protect against BEC and account takeover attacks.