According to Verizon\u2019s 2017 Data Breach Investigations Report, 81 percent of hacking-related breaches use either stolen and\/or weak passwords. It\u2019s no big surprise. Stories of businesses still using the word \u201cpassword\u201d for its passwords continually do the rounds. So a group of researchers at enterprise cyber security software and services firm Imperva decided to test the water, to see what actually happens when hackers gain access to credentials and attack individuals.Apparently the most common way cybercriminals penetrate networks is by stealing and then using valid credentials. According to Imperva, password theft occurs using many different methods\u2014phishing, malware, man-in-the-middle attacks and brute-force password learning\u2014but it is phishing that remains the most effective method. It plays on human curiosity and error so this is where the researchers focussed most of their attention.\u201cHumans will always be humans,\u201d says Luda Lazar, security research engineer at Imperva\u2019s Defense Center. By that she means we always have it in us to do stupid things like click on links in emails or download attachments.Lazar led Imperva\u2019s six-month research project, a honeypot campaign to attract hackers and watch their methods and movements and even trace them where possible. A pool of honey accounts was created containing nearly 60 email accounts from the likes of Gmail, Outlook, Yahoo and Yandex, as well as 30 groups of other account types\u2014including file hosting (OneDrive, Google Drive, Dropbox) and social network accounts (Facebook, LinkedIn, Twitter) bound to one of the email accounts. Identical passwords were used for all accounts to track password reuse attempts.To make the honey accounts appear authentic they were subscribed to popular sites, while their sent mail folders were filled out and contacts lists for each account were created. Each social network account had a full social profile, establishing real relationships with other social networkers, while file hosting accounts were populated with various files and periodically updated. Only then did the researchers start to leak account credentials to the dark web via zero-day phishing campaigns, using the Open Phish feed and Phishtank database.Researchers tracked all account activity including login attempts using in-built alerts while decoys derived from the Canarytokens Open Source toolkit2 helped track phisher attention.CounterintelligenceAfter gathering data from 200 credential leaks, researchers started analysing the data and identified some consistent patterns. According to Lazar, you\u2019d think erasing evidence of a hack would be standard practise but what she found was quite the opposite.\u201cWe learned that most attackers don\u2019t bother to cover their tracks, and leave various evidences behind,\u201d says Lazar. \u201cWe were surprised to find that only 17 percent made any attempt to cover their tracks. In 15 percent of the penetrations, new sign-in alerts were deleted from the inbox but were left languishing in a trash folder. Only two percent of the attackers permanently deleted new sign-in alerts.\u201dLazar adds that the research demonstrated that the phishers are no more careful than their victims when it comes to clicking links.\u201cWe planted various traps within the accounts and most attackers did not hesitate to click the links and open documents\u2014blithely doing so without taking precautionary measures such as using a sandbox or anonymity service,\u201d says Lazar.The research detected honey account penetrations originating from 167 IP addresses within 18 countries\u2014Nigeria accounted for 55 percent of the penetrations\u2014and Lazar predicted that most accesses would be anonymised through Tor or anonymous proxy services. She was therefore surprised to discover that only 39 percent of the phishers accessed the honey accounts anonymously.Another surprising discovery was that only 16 percent of the attackers tried to use the same credentials in order to propagate to tied accounts.\u201cThis low percentage was somewhat surprising,\u201d says Lazar. \u201cThere are plenty of ways for attackers to use the common practice of password reuse, e.g., propagation to other accounts of the victim or validating stolen credentials or brute-forcing credentials in a weakly protected site, and we expected to see a larger portion of the attackers propagating to tied accounts.\u201dScamsImperva encountered several cases where honey accounts were used to launch further attacks, including spear phishing, phony requests for short-term loans, and even to run an inheritance scam.\u201cFive of the honey accounts received, at the same time, a curious proposal from one Judith Chan, which occurred almost immediately after leaking one of these accounts to a LinkedIn phishing campaign,\u201d says Lazar.When the researchers looked deeper into the related email and LinkedIn accounts, they found that one LinkedIn account was accessed the same day as the leakage and assumed the other victims\u2019 addresses were stolen from the contacts list belonging to the exploited account.\u201cChan stated she found a profile and country on that social networking site and offered us a chance \u2018to fit into an opportunity\u2019,\u201d adds Lazar. \u201cWe decided to embark on an adventure by responding to Chan. In doing so she sent us an offer, this time identifying herself as an employee of Llyod\u2019s Bank Uk (sic).\u201dChan\u2019s \u201coffer\u201d was the typical will scam, helping a wealthy investor who had died without leaving a will manage a $33 million-plus portfolio. The proposal was for \u2018Emma\u2019 (the honeypot account) to claim to be the closest surviving relation, and to share 60 percent of the proceeds with Chan as the \u201cdeal initiator\/facilitator\u201d.Of course, these types of scams, which try to get gullible and greedy people to reveal their identities and bank details, are not new but what this shows is how attackers are trying to use social media contacts to harvest more addresses to target. Interestingly though, an account takeover didn\u2019t always happen when account credentials were leaked.\u201cEven when it does, it\u2019s not always immediate,\u201d says Lazar. \u201cOnly 44 percent of our credentials leaked to phishing campaigns were exploited, and only 46 percent of those occurrences (20 percent of the total leaked credentials) happened during the first 24 hours.\u201dHowever, while propagation through password reuse was low\u201416 percent of the cases\u2014it still represents a significant threat to personal information through account takeovers. But what the researchers at Imperva believe is that this has given them invaluable evidence on, not just how to fight back against attackers but prevent them from gaining access in the first place. The cat-and-mouse game continues.