A peek into the stealing habits of cybercriminals

Security experts show that (like everyone else) hackers are often lazy and traceable

According to Verizon’s 2017 Data Breach Investigations Report, 81 percent of hacking-related breaches use either stolen and/or weak passwords. It’s no big surprise. Stories of businesses still using the word “password” for its passwords continually do the rounds. So a group of researchers at enterprise cyber security software and services firm Imperva decided to test the water, to see what actually happens when hackers gain access to credentials and attack individuals.

Apparently the most common way cybercriminals penetrate networks is by stealing and then using valid credentials. According to Imperva, password theft occurs using many different methods—phishing, malware, man-in-the-middle attacks and brute-force password learning—but it is phishing that remains the most effective method. It plays on human curiosity and error so this is where the researchers focussed most of their attention.

“Humans will always be humans,” says Luda Lazar, security research engineer at Imperva’s Defense Center. By that she means we always have it in us to do stupid things like click on links in emails or download attachments.

Lazar led Imperva’s six-month research project, a honeypot campaign to attract hackers and watch their methods and movements and even trace them where possible. A pool of honey accounts was created containing nearly 60 email accounts from the likes of Gmail, Outlook, Yahoo and Yandex, as well as 30 groups of other account types—including file hosting (OneDrive, Google Drive, Dropbox) and social network accounts (Facebook, LinkedIn, Twitter) bound to one of the email accounts. Identical passwords were used for all accounts to track password reuse attempts.

To make the honey accounts appear authentic they were subscribed to popular sites, while their sent mail folders were filled out and contacts lists for each account were created. Each social network account had a full social profile, establishing real relationships with other social networkers, while file hosting accounts were populated with various files and periodically updated. Only then did the researchers start to leak account credentials to the dark web via zero-day phishing campaigns, using the Open Phish feed and Phishtank database.

Researchers tracked all account activity including login attempts using in-built alerts while decoys derived from the Canarytokens Open Source toolkit2 helped track phisher attention.

To continue reading this article register now

Subscribe today! Get the best in cybersecurity, delivered to your inbox.