Imperva’s latest Hacker Intelligence Initiative (HII) report, Beyond Takeover – Stories from a Hacked Account, was just released. With this research, we set forth to learn about the dynamics of phishing attacks from the victim’s perspective and shed some light on attacker practices. Our intent was to learn how accounts are taken over once credentials are compromised through a phishing campaign.
To achieve this we maintained 90 personal online accounts (“honey accounts”) over nine months in platforms that are well-known phishing targets. We invited attackers in by leaking the credentials of these accounts to selected phishing campaigns and traced their activity.
One of the more interesting areas of the research was uncovering which practices attackers used to cover their tracks, destroy evidence of their presence and activities in the account, and evade detection. In this post, we’ll share attacker techniques, how they cover their tracks, and three signs that indicate your account has been hacked.
Phishing: A Glance at Attacker Practices
What Do Attackers Look For?
After leaving the front door open, it was interesting to watch what happened in the house once a burglar got in. We spread decoys as breadcrumbs to lure attackers into our traps and we saw many take the bait. We collected and analyzed alerts to reach the (not too surprising) conclusion that attackers first and foremost are looking for sensitive information, such as passwords and credit cards numbers.
Figure 1: Distribution of accessed decoy data types
Manual Labor or Automatic?
We were curious to know if the attackers worked manually or used automated tools. To answer this, we checked timing of triggered tokens. We noticed that attackers approached tokenized items selectively rather than sequentially, e.g., only part of tokens were approached and not in any visible order. The time intervals between approaches were very different and ranged from a few seconds to over 10 minutes. Moreover, we saw that 74% of the first decoys were accessed within three minutes of account penetration, which indicates that attackers access the content online manually and do not download and examine it with automated tools. These observations together indicate that exploration of the accounts was primarily done manually.
How Attackers Cover Their Tracks (But Not All Do!)
Attackers can leave tracks behind during the attack process, such as generating suspicious new-device login alerts or spam messages in the sent items folder. Erasing evidence of a compromise is mandatory for an attacker who wants to remain obscure, continue using/exploring the account and avoid a trace back. We observed three different techniques attackers use to cover their tracks:
- Delete sign-in alerts from the inbox (and permanently delete them from deleted items/trash)
- Delete sent emails and failure notification messages
- Mark read messages as unread
Our research also showed that not all attackers take equal care in covering their tracks. We were surprised to find that only 17% made any attempt to cover their tracks. And those who did sparingly used track covering practices (see Figure 2):
Figure 2: Percentage of track covering and track covering practices
Attackers’ oversight in covering up their tracks is key to identifying if an account has been hacked.
The Telltale Signs
Since not all attackers cover up their tracks, that means many leave evidence behind. This allows users to be aware that a hack has taken place if they’re looking for the right things in the right places. Here are three telltale signs that an attacker has been in your account.
Telltale Sign #1: Suspicious Sign-In Email Alerts
Following a hacker’s penetration into an account, a lot of visible hints are likely to remain which can be seen by a simple search for suspicious sign-in alert emails in the inbox.
In only 15% of the account penetrations, we saw that new sign-in alert emails were deleted from the inbox (see Figure 2). Even then, they were usually forgotten and left in the trash folder—only 2% of the attackers deleted a new sign-in alert permanently. Users should be on the lookout for suspicious sign-in email alerts in their inbox and periodically scan deleted items or trash folders for them as well (see Figure 3).
Figure 3: New sign-in alert found in Gmail trash, not deleted by a hacker
Telltale Sign #2: Messages Marked as Read (That You Didn’t Read)
Another technique we saw was attackers marking email messages as unread after opening them to bring the mailbox back to its original condition. Following is an example from a Yandex email log (Figure 4). Yandex is an email provider and search engine used in Russia, the Ukraine, Belarus, Kazakhstan and Turkey (their search engine has about a 65% market share in Russia). It’s used as an example here as other mail providers (such as Gmail, Yahoo and Microsoft Hotmail/Outlook) don’t contain activity logs for read/unread messages. This type of strange read/unread email activity indicates a hacker has been in the account.
Figure 4: Examples in a Yandex activity log of a perpetrator marking email messages as unread after opening them.
Telltale Sign #3: Sent Items (You Didn’t Send) and Delivery Failure Notification Messages
Thirteen percent of attackers deleted emails they sent from compromised accounts (such as those sent to launch a new phishing campaign) as well as the failure notification messages, which inform the sender about the inability to deliver a message. These emails are typical when using the account for spamming purposes when the email provider identifies the spamming attempt and blocks the burst of spam emails. Of course, if 13% deleted sent items and failure notifications, then the vast majority—87%—did not and left evidence behind that they hacked the account.
Despite the various actions attackers used for covering their tracks, many of them left considerable traces in the hacked accounts, showing that in some ways hackers are no different than their victims. Users can be lax when it comes to security awareness and get themselves in trouble by not being more attentive of their actions. Hackers can be sloppy too—their lack of attention can alert a victim that their account has been compromised.
If an account has been compromised, the first course of action should be to change the password. Two-factor authentication remains the tool of choice for protecting accounts from takeover, or at least a recovery email or phone number to be immediately alerted to alternative accounts/devices about possible threats to the account’s security. However, being watchful for attack hints like suspicious items in the sent items or trash folders, suspicious sign-in messages and messages marked as read which users don’t remember reading, can lead to early detection of account takeover and give the victim the opportunity to take back control of their account.
For more information, download the HII report: Beyond Takeover – Stories from a Hacked Account.