Email Security Blog

Inside a Compromised Account: How Cybercriminals Use Credential Phishing to Further BEC Scams

Crane Hassold June 8, 2021 BEC

Why would a cybercriminal spend time developing malware when he can simply trick unsuspecting users into handing over their passwords? Why would a threat actor spend her money and resources on ransomware, when she can get that same information through a compromised account? It’s a good question, and exactly what the Agari Cyber Intelligence Division wanted to discover.

In a growing trend known as credential phishing, threat actors impersonate legitimate brands and services by crafting similar-looking websites where unsuspecting users enter their account information. Once entered, account details are forwarded to the cybercriminals, completely bypassing malware detection software. From there, those criminals can do what they want—often for years and without being detected. And now with enterprise migration toward cloud-based email and services, credential phishing is more popular than ever.

In order to better understand the problem, we seeded over 8,000 phishing sites with credentials under our control and then monitored these accounts to directly observe the actions taken by a cybercriminal post-compromise. The results were astounding.

Our research showed that nearly a quarter of compromised accounts were automatically accessed at the time of compromise to validate the authenticity of the credentials. And regardless of whether credentials were automatically validated, nearly all of the compromised accounts (92%) were accessed manually by a threat actor.

Almost one in five accounts were accessed within the first hour post compromise, and nearly all of them were accessed within a week after they were compromised. And while a majority of compromised accounts were only accessed one time by actors, we observed a number of examples where a cybercriminal maintained persistent and continuous access to a compromised account.

We traced threat actors accessing compromised accounts to 44 countries around the world. Mirroring the findings in our Geography of BEC report, Nigeria was far and away the top location for individuals accessing compromised accounts, which supports the link between response-based BEC attacks and credential phishing BEC attacks. The United States was the second-most common location for mailbox hackers, followed by South Africa, the United Arab Emirates, the United Kingdom, and Turkey.

The most important part of our research directly observed how cybercriminals exploit a compromised account. As we detail in the threat intelligence brief, we saw scammers create forwarding rules; pivot to other applications, including Microsoft OneDrive and Microsoft Teams; attempt to send outgoing phishing emails, sometimes by the thousands; and use the accounts to set up additional BEC infrastructure.

We hope this research provides an in-depth first look at how destructive credential phishing attacks can be, and demonstrates why these less technically sophisticated cyber attacks continue to increase in popularity.

Read the Anatomy of a Compromised Account for further details on how compromised accounts are used, and how they contribute to additional BEC scams.

Agari Blog Image

February 11, 2021 Crane Hassold

Cosmic Lynx Returns in 2021 with Updated Tricks

In July 2020, we published a report on a Russian-based BEC group we called Cosmic…

man working on computer

December 14, 2020 Ronnie Tokazowski

BEC Response Guide— Tips for Responding to Business Email Compromise Incidents

This post originally appeared on Medium and is published here courtesy of Ronnie Tokazowski. For…

woman working on computer

December 1, 2020 Ronnie Tokazowski

BEC Cash-out Methods: Email Fraudsters Experimenting With Alternative Approaches

Business email compromise (BEC) actors are exploring alternative cash-out methods for spiriting away the profits…

Agari Blog Image

October 30, 2020 Armen Najarian

BEC Scams: What to Look For, What to Do

We'll cover what BEC scams (Business Email Compromise scams) are, how they work, what you…

Agari Blog Image

August 5, 2020 Michael Paiko

Phishing & BEC Scams Soar 3000%: Agari H2 2020 Email Fraud and Identity Deception Trends Report

Coronavirus-related phishing attacks and business email compromise (BEC) scams skyrocketed 3,000% from mid-March through early…

mobile image