To discover details about compromised credentials, Imperva researchers went undercover by creating several fake user accounts, including email and file sharing accounts with Google and Dropbox. Once the accounts were active, the researchers deployed techniques to lure in the criminals and tracked them over the span of nine months.
The report also revealed common behaviours of cybercriminals by digging into how attackers cover their tracks. For example, to remain anonymous, attackers should destroy evidence of their presence in accounts by erasing contaminated logins and messages. Yet it was surprising that 83% of the attackers did little to cover their tracks. Of those who did cover their tracks, 15% erased new sign-in alerts from the email inbox, but usually forgot to delete them from the email trash container.
Business data is highly sought: 25% of the phishers looked at email subject lines related to business such as those that included the words financial data, customer database or supplier details. More than 50% of the accounts were accessed 24-hours or more after the credential takeover.
“Beyond Takeover – Stories from a Hacked Account” research included four phases: setup and maintenance of honey accounts, establishment of account monitoring mechanisms, credential leakage and collection and analysis of information about attackers and their practices.
Every day we send out a free e-mail with the most important headlines of the last 24 hours.
Subscribe now