We always knew that there was an underground economy for hackers. In this Tor-based world, hackers trade credentials, share techniques, hawk hacking tools and even offer hacking as a service.
In its report “Spear Phishing: Top Threats and Trends Vol. 4 - Insights into attacker activity in compromised email accounts, security firm Barracuda Networks highlighted that hackers are creating a new specialized economy around email account takeover.
Barracuda researchers teamed up with researchers at UC Berkeley to study the end-to-end lifecycle of a compromised account. Examining 159 compromised accounts that span 111 organizations, they found that over one-third of the hijacked accounts had attackers dwelling in the account for more than one week.
The report hypothesized at the long duration (which is unusual for attacks) could highlight the amount of time needed to sell or hand over login credentials to other hackers in the dark web.
One-fifth (20%) of compromised accounts appear in at least one online password data breach. This shows that hackers are reusing credentials across employees’ personal and business accounts. Hackers are also using the information from compromised accounts to set up impersonating domains and launch conversation hijacking attacks.
More worrying is how such breaches show teamwork among hackers. For email breaches, Barracuda sees coordination between two teams of hackers. In 31% of these compromises, one set of attackers focuses on compromising accounts and then sells account access to another set of cybercriminals who focus on monetizing the hijacked accounts.
“Cybercriminals are getting stealthier and finding new ways to remain undetected in compromised accounts for long periods of time so they can maximize the ways they can exploit the account, whether that means selling the credentials or using the access themselves,” said Don MacLennan, senior vice president for engineering in email protection at Barracuda Networks.
“Being informed about attacker behavior will help organizations put the proper protection in place so they can defend against these types of attacks and respond quickly if an account is compromised,” he added.
Photo credit: iStockphoto/wildpixel