A peek into the stealing habits of cybercriminals

According to Verizon’s 2017 Data Breach Investigations Report, 81 percent of hacking-related breaches use either stolen and/or weak passwords. It’s no big surprise. Stories of businesses still using the word “password” for its passwords continually do the rounds. So a group of researchers at enterprise cyber security software and services firm Imperva decided to test the water, to see what actually happens when hackers gain access to credentials and attack individuals.

Apparently the most common way cybercriminals penetrate networks is by stealing and then using valid credentials. According to Imperva, password theft occurs using many different methods—phishing, malware, man-in-the-middle attacks and brute-force password learning—but it is phishing that remains the most effective method. It plays on human curiosity and error so this is where the researchers focussed most of their attention.

“Humans will always be humans,” says Luda Lazar, security research engineer at Imperva’s Defense Center. By that she means we always have it in us to do stupid things like click on links in emails or download attachments.

Lazar led Imperva’s six-month research project, a honeypot campaign to attract hackers and watch their methods and movements and even trace them where possible. A pool of honey accounts was created containing nearly 60 email accounts from the likes of Gmail, Outlook, Yahoo and Yandex, as well as 30 groups of other account types—including file hosting (OneDrive, Google Drive, Dropbox) and social network accounts (Facebook, LinkedIn, Twitter) bound to one of the email accounts. Identical passwords were used for all accounts to track password reuse attempts.

To make the honey accounts appear authentic they were subscribed to popular sites, while their sent mail folders were filled out and contacts lists for each account were created. Each social network account had a full social profile, establishing real relationships with other social networkers, while file hosting accounts were populated with various files and periodically updated. Only then did the researchers start to leak account credentials to the dark web via zero-day phishing campaigns, using the Open Phish feed and Phishtank database.

Researchers tracked all account activity including login attempts using in-built alerts while decoys derived from the Canarytokens Open Source toolkit2 helped track phisher attention.

Counterintelligence

After gathering data from 200 credential leaks, researchers started analysing the data and identified some consistent patterns. According to Lazar, you’d think erasing evidence of a hack would be standard practise but what she found was quite the opposite.

“We learned that most attackers don’t bother to cover their tracks, and leave various evidences behind,” says Lazar. “We were surprised to find that only 17 percent made any attempt to cover their tracks. In 15 percent of the penetrations, new sign-in alerts were deleted from the inbox but were left languishing in a trash folder. Only two percent of the attackers permanently deleted new sign-in alerts.”

Lazar adds that the research demonstrated that the phishers are no more careful than their victims when it comes to clicking links.

“We planted various traps within the accounts and most attackers did not hesitate to click the links and open documents—blithely doing so without taking precautionary measures such as using a sandbox or anonymity service,” says Lazar.

The research detected honey account penetrations originating from 167 IP addresses within 18 countries—Nigeria accounted for 55 percent of the penetrations—and Lazar predicted that most accesses would be anonymised through Tor or anonymous proxy services. She was therefore surprised to discover that only 39 percent of the phishers accessed the honey accounts anonymously.

Another surprising discovery was that only 16 percent of the attackers tried to use the same credentials in order to propagate to tied accounts.

“This low percentage was somewhat surprising,” says Lazar. “There are plenty of ways for attackers to use the common practice of password reuse, e.g., propagation to other accounts of the victim or validating stolen credentials or brute-forcing credentials in a weakly protected site, and we expected to see a larger portion of the attackers propagating to tied accounts.”

Scams

Imperva encountered several cases where honey accounts were used to launch further attacks, including spear phishing, phony requests for short-term loans, and even to run an inheritance scam.

“Five of the honey accounts received, at the same time, a curious proposal from one Judith Chan, which occurred almost immediately after leaking one of these accounts to a LinkedIn phishing campaign,” says Lazar.

When the researchers looked deeper into the related email and LinkedIn accounts, they found that one LinkedIn account was accessed the same day as the leakage and assumed the other victims’ addresses were stolen from the contacts list belonging to the exploited account.

“Chan stated she found a profile and country on that social networking site and offered us a chance ‘to fit into an opportunity’,” adds Lazar. “We decided to embark on an adventure by responding to Chan. In doing so she sent us an offer, this time identifying herself as an employee of Llyod’s Bank Uk (sic).”

Chan’s “offer” was the typical will scam, helping a wealthy investor who had died without leaving a will manage a $33 million-plus portfolio. The proposal was for ‘Emma’ (the honeypot account) to claim to be the closest surviving relation, and to share 60 percent of the proceeds with Chan as the “deal initiator/facilitator”.

Of course, these types of scams, which try to get gullible and greedy people to reveal their identities and bank details, are not new but what this shows is how attackers are trying to use social media contacts to harvest more addresses to target. Interestingly though, an account takeover didn’t always happen when account credentials were leaked.

“Even when it does, it’s not always immediate,” says Lazar. “Only 44 percent of our credentials leaked to phishing campaigns were exploited, and only 46 percent of those occurrences (20 percent of the total leaked credentials) happened during the first 24 hours.”

However, while propagation through password reuse was low—16 percent of the cases—it still represents a significant threat to personal information through account takeovers. But what the researchers at Imperva believe is that this has given them invaluable evidence on, not just how to fight back against attackers but prevent them from gaining access in the first place. The cat-and-mouse game continues.