Email accounts are highly valued and sought after targets for bad actors and myNetWatchman data shows it. Over the past 30 days, live data monitoring shows a daily average of 7.5 million illegitimate login attempts to access an email account, targeting an average of 2.5 million unique mailboxes each day. Access to an email account is valuable to fraudsters as it is a launching point for a multitude of other attacks.
In Anatomy of Email Compromise we talked about what we see bad actors do once they’ve gained access to an email account. Today we are discussing the methods we observe bad actors using to gain and maintain email account access.
Email accounts are particularly vulnerable when considering the confluence of these two factors:
Consumers often reuse not only passwords, but credential pairs (a password and username/email used in combination).
Billions of credential pairs have been compromised in data breaches.
This makes it quite easy for bad actors to simply attempt accessing email accounts by using the email and password combination compromised in any data breach.
Techniques bad actors use to gain access to an email account
Credential Stuffing involves attempting credential pairs compromised in one or multiple data breaches against login pages of organizations unaffiliated with the data breach where the credential pair was compromised. Often, credential stuffing attacks target a large list of organizations where a consumer may have created a user account with the same credential pair. This a high-volume attack, typically executed by bots, with a low percentage rate of success. However, even a success rate of less than one percent on millions of attempts is fruitful.
Credential stuffing attacks against email accounts take a more targeted approach. Many organizations have users create accounts and login with an email address rather than a username, so when a credential pair compromised anywhere includes an email address, that tells bad actors exactly where to attempt Account Takeover (ATO) against the email inbox – they just look at the email domain. When a bad actor knows a username that is not an email, they will often attempt the username as the email address root. For example, the username Bob123 would lead to ATO attempts against Bob123@gmail.com, Bob123@outlook.com, and so on.
Phishing is a form of social engineering using manipulation and deception to get the victim to do what the attacker wants, whether that is clicking a link, downloading a malicious file or giving away information. Phishing generally refers to these social engineering attempts via email, while variations like SMiShing (SMS text message-based) and Vishing (voice-based phishing, via phone calls or voicemails) employ the same tactics via different delivery methods. These typically attempt to create a sense of urgency such as saying a transaction was made or an account is being shut down. These can be very convincing and mimic real brands or organizations the victim patronizes. If the victim clicks a link or downloads a file, it may be spyware that captures credentials they enter on their device. A link may instead go to what looks like a real login page, but in reality the victim is providing their login details directly to the bad actors.
Spear Phishing is an advanced form of phishing where the attacker targets a specific individual within an organization. The attacker will research the target via public information, social media and more. Targeted phishing emails will purport to be from someone the target knows and the content of the email will be plausible. They may go as far as to simultaneously coordinate a SIM swap attack, ATO of their phone number, to receive authentication codes to and get around two-factor authentication.
Maintaining access to an email account
Because a victim’s mailbox is so valuable and useful to a bad actor, they will spend the (relatively low) effort to keep access to the mailbox. Mainly this entails deleting anything that comes into the inbox intended to tip the true accountholder off that their email may have been accessed by someone else. This includes email notifications of a login attempt or successful login from a new device, location or IP address. The bad actor can easily delete this from not only the Inbox, but the Trash folder as well. myNetWatchman data shows that these techniques work to maintain access to the account. To test this, myNetWatchman took a random sample of 100,000 email accounts known to be recently accessed by bad actors, and could see that 30 percent of them had been compromised for more than 2 years.
Email Reputation can tell organizations if an email address is being targeted by credential stuffers, and to what extent. This information helps organizations better understand risk, and act accordingly, at the login and account creation events. Email Reputation not only tells whether a given email address is being targeted by bad actors, but also:
How many different passwords have been attempted in tandem with this email
Against how many different sites this email has been attempted
How many credential stuffing attacks against this email have been successful (provided the correct password)
The timeframe of these attempts
If the email inbox was accessed by a bad actor, when and for how long or how recently
What the bad actor is searching for in the mailbox, shedding light on what they are likely to target next
There are many actions consumers can take to better protect themselves against email ATO and it starts with using unique and secure passwords. If a consumer is using a shared password, they should assume that password has been compromised with one of the accounts that use it. The best way consumers can fight back against credential stuffing is to ensure that when any account they hold is associated with a data breach, that compromised password cannot be used against them elsewhere.
It would be great if all consumers took the measures to protect their accounts themselves, but we won’t hold our breath. In the meantime, Email Reputation alerts organizations when user credentials are being targeted or at high risk.
Opmerkingen