It stands to reason that hackers will spend more of their time and energy targeting the places and systems where most people reside. It’s one of the reasons why Windows-based platforms have traditionally been more heavily targeted than Apple-based platforms. It's perhaps no surprise, therefore, that a new paper from cybersecurity firm Agari found that Microsoft product pages were most commonly mimicked by cybercriminals in phishing attacks.
The researchers fed around 8,000 known phishing sites with credentials that were under the team's control to monitor how the criminals would use them. The results show that around a quarter of the compromised accounts were accessed almost instantaneously in order to validate their authenticity. What's more, the researchers were able to narrow these attacks down to just a handful of threat actors based on their approach.
"Regardless of whether credentials were automatically validated, nearly all of the compromised accounts (92%) were accessed manually by a threat actor," the researchers say. "Almost one in five accounts were accessed within the first-hour post-compromise, and nearly all (91%) of the accounts were accessed within a week after they were compromised."
When criminals exploit an account, the researchers found that they often follow a number of strategies, including creating forwarding rules, sending more phishing emails, using the accounts to set up additional business email compromise (BEC) infrastructure, or pivoting to other applications.
The research shows that 73% of phishing attacks currently impersonate web pages related to Microsoft products, with Adobe-related fake pages used in 26% of attacks. The authors highlight how access to the cloud allows cybercriminals to easily inject malicious files, such as malware, into the documents of victims. What's more, with more of us working online via cloud-based accounts, the potential to access company-related information opens up the possibility of data being sold online or being used for blackmail.
"By tricking people into giving up their credentials, threat actors can use legitimate accounts to run their malicious schemes — a dream come true from their perspective," the authors say. "With this access, they can sit for weeks or months, waiting for the perfect opportunity to score thousands (or hundreds of thousands) of dollars."
Once the hackers have access to an account, they commonly change the sharing permission of files so that they can easily be spread among their network or to other targeted accounts via social media. These malicious activities usually happen almost instantaneously, with attackers using automated tools to authenticate the credentials and then manually taking over the accounts within an hour.
Within 6 hours of the breach, some 40% of accounts had been manually accessed by the attackers, and 50% within 12 hours. The speed with which the attackers act means that many victims may have lost considerable amounts of information before realizing that they’ve been compromised.
The pandemic has made gaining access to work-related email especially attractive for criminals who are taking advantage of the rapid transition to cloud-based platforms and remote working to capitalize on lax cybersecurity practices. If cybercriminals gain access to someone’s Microsoft account, they can easily host malicious pages, send malicious emails, or create malicious documents. This allows them to spread their attack far more efficiently and effectively. As such, the authors urge employers to do more to encourage multi-factor authentication to any work-related accounts as part of a wider cyber hygiene process that ensures work accounts, systems, and data are secure in a hybrid work environment.
"With enterprise migration toward cloud-based email and services, credential phishing is more popular than ever, underscoring the importance of advanced email protection to prevent those emails from ever reaching the inbox," the authors conclude. "It’s only by blocking credential phishing attempts and eliminating the opportunity for people to provide their credentials that we can prevent compromised accounts and the malicious activity that comes with them."