"Scammers Access 50% of Compromised Accounts Within 12 Hours According to New Research"
The email security company Agari has shared the results from a study on the anatomy of compromised email accounts. The threat intelligence brief titled "Anatomy of a Compromised Account" delves into the use of credential phishing sites by threat actors to gather passwords as well as what the actors do with them post-compromise. The Agari Cyber Intelligence Division (ACID) conducted a six-month investigation, seeding over 8,000 phishing sites that imitate Microsoft Account, Microsoft Office 365, and Adobe Document Cloud login screens. In order to gain a better insight into the lifecycle of a compromised account, the team linked individual phishing attacks to specific actors and their post-compromise actions following the successful submission of credentials. The investigation found that threat actors manually accessed 91 percent of all accounts within the first week. Half of the compromised accounts were accessed by threat actors within the first 12 hours. Automated account validation techniques were applied by 23 percent of phishing sites. Threat actors were found to be located in 44 countries, with 47 percent being in Nigeria. When the attackers successfully gained access to the compromised accounts, their goal of identifying those who have access to a company's financial information or payment system so that they could effectively send vendor email compromise scams, became clear. The attackers also used the compromised accounts to send malicious emails and register for additional software that can help run their scams. This article continues to discuss Agari's key findings surrounding how cybercriminals access and use compromised accounts.