Tactics Used by Phishing Hackers

I write a lot about phishing scams, but rightfully so. They continue to be a popular and extremely effective way of downloading malware and getting access into networks. As long as people continue to be fooled or unable to recognize them, phishing emails will remain a popular tool for hackers.

But what is it like from the hacker’s point of view? What are they doing when they get into your account? What kind of tactics are they using?

That’s what a new study from Imperva set out to discover. The researchers went undercover by creating several fake user accounts and then deployed techniques to lure in the criminals and tracked them over the span of nine months. The end result was a report detailing common patterns in phishing attacks and how hackers find and use data in compromised accounts.

According to the executive summary, some of the questions that the researchers wanted answered included: How long does it take from the time the account is hacked to exploitation of the data; how do phishers look for their targets and what type of decoys work best to lure them in; and how do hackers use security practices to hide their tracks?

Perhaps not too surprisingly, the hackers are after business data (this may explain the increase in spearphishing and whaling tactics; go after the biggest targets in a company if you want the most data). To find where that data is lurking, hackers searched for subject lines that included information like financial information or customer database.

More surprisingly, hackers don’t exploit as much information as we think. Less than half of the compromised credentials ended up used. The researchers speculated that this could be due to the overwhelming amount of data they are able to dig up and they have too much.

As for covering their tracks, an Imperva blog explained it this way:

We observed three different techniques attackers use to cover their tracks:

Delete sign-in alerts from the inbox (and permanently delete them from deleted items/trash)

Delete sent emails and failure notification messages

Mark read messages as unread

Yet, only a fraction – 17 percent – cover their tracks.

The stat that really stunned me, though, is that the attackers aren’t as quick to act as we may have thought. The general theory is that once an attack happens, time is of the essence and that information is compromised quickly. Instead, the research found more than 50 percent of the accounts were accessed 24 hours or more after the credential takeover. The result is a brief window where if the attack is suspected, a quick password change results in a 56 percent chance of preventing an account takeover.

As Itsik Mantin, head of data research at Imperva, said in a formal statement about the research:

If we can quickly detect an attack, we then know that swift remediation including a simple password change significantly reduces the odds of a successful attack. This lesson proves the value of incorporating threat-intelligence and breach detection solutions that quickly detect and help mitigate this risk.

Sue Marquette Poremba has been writing about network security since 2008. In addition to her coverage of security issues for IT Business Edge, her security articles have been published at various sites such as Forbes, Midsize Insider and Tom’s Guide. You can reach Sue via Twitter: @sueporemba