Researchers at Imperva recently set up fake online accounts and intentionally allowed themselves to be phished by scammers in order to observe how behavior cybercriminals act after they come into possession of a victim's credentials.
Interestingly, only 46 percent of the account compromises witnessed by Imperva took place within the first 24 hours after the credentials were initially phished, demonstrating that exploitation wasn't always immediate. This could be a critical window for phishing victims to reset their security information before the attacker hijacks the account completely.
Once inside the "honeypot" accounts, the scammers were most often interested in looking for passwords, followed by credit card data, business supplier and customer information, and contacts. Of the 114 alerts that Imperva received regarding unauthorized activity in 20 specific honeypot accounts, 52 percent were attempts to retrieve passwords.
Imperva's findings were released in a report, blog post and press release on Wednesday, in time for distribution at Black Hat 2017. SC Media caught up to Itsik Mantin, director of security research at Imperva, at Black Hat, where he addressed his company's nine-month undercover operation.
"We phished the phishers," said Mantin, noting the hackers generally performed their compromises manually as opposed to using automated tools such as bots -- which could in part explain why they weren't especially expedient in regards to quickly taking over phished accounts.
Nor did every criminal take advantage of the opportunity: Of the 200 separate credential leaks that Imperva deliberately initiated, only 44 percent resulted in account exploitation. Among those instances, 34 percent resulted in repeated penetrations, while 23 percent resulted in attempts to probe for key data.
Imperva created 90 fake accounts in total, subscribing to everything from email services to storage services to social networking accounts. The accounts all shared the credentials -- an intentional strategy to see if any attackers would attempt to reuse phished credentials across multiple accounts. Surprisingly, of the phishers who actually accessed a fake account, only 16 percent tried reusing their ill-gotten credentials on a second, tied account.
According to the Imperva report, several times phished accounts were recruited into a spam botnet, and one account was actually fully hijacked, with the attacker locking out the original account owner.