Applying CSI techniques to email account compromises has revealed the strategies that cybercriminals use to squeeze maximum returns on their heist.
More than one-third of hijacked email accounts have had attackers dwelling in the account for more than one week. Also, 20% of compromised accounts had appeared in at least one online password data breach, which suggests that cybercriminals are exploiting the tendency for employees to use the same login credentials for both personal and organizational accounts.
These and other findings were gleaned from respondents of 111 organizations across the Asia-Pacific, Europe, the Middle East and Africa (EMEA) and the United States over the past year, conducted by researchers from Barracuda Networks and UC Berkeley.
In 31% of email compromises studied, one set of attackers focuses on compromising accounts and selling account access to another set of cybercriminals who focus on monetizing the hijacked accounts.
Furthermore, 78% of attackers did not access any applications outside of email.
Economy in effort
The report reveals a specialized economy of actions by attackers around email account takeovers. In examining 159 compromised accounts from these organizations, the researchers looked at how account takeovers happened, how long attackers had access to the compromised account, and how attackers used and extracted information from these accounts.
This painted a picture of the lifecycle of hijacked accounts, how cybercriminals think and behave, and the insights can provide useful guidance for organizations in their cybersecurity efforts.
Said James Forbes-May, Vice President, Barracuda, Asia-Pacific: “Cybercriminals are getting stealthier and finding new ways to remain undetected in compromised accounts for long periods of time so they can maximize the ways they can exploit the account, whether that means selling the credentials or using the access themselves. Being informed about attacker behavior will help organizations in Asia to put the proper protection in place so they can defend against these types of attacks and respond quickly if an account is compromised.”