Agari Gave Phishing Actors Credentials to See What They Do

  • Agari has conducted an experiment, seeding its credentials to 8,000 phishing domains.
  • The actors were relatively quick to access the compromised accounts and did so through web browsers.
  • Most of the actors are based in Nigeria, although the first stage of the phishing operation is supported by other countries.

Phishing is a standard method of tricking people into giving away their credentials by making them believe they’re about to login onto their accounts on a website that looks legit. It is a cheap, effective, and easy way for actors to steal accounts and access valuable information or systems/networks. Agari has decided to carry out an experiment to better understand how these actors move, so they seeded over 8,000 phishing sites with credentials under its control to see what they do.

The first question is how quickly the actors would access the accounts they held the credentials for. As shown in the following diagram, half of the accounts were accessed within 12 hours of the phishing event, while 91% were accessed within the first week after the compromise.

In 18% of the cases, which is a significant percentage, the actors moved quickly and accessed the accounts within 60 minutes. All in all, victims of phishing attacks don’t have much time to realize what happened and reset their passwords before they lose access to their accounts forever.

Source: Agari

The second question is how the actors accessed the accounts. In the vast majority of the cases (85%), the phishing actors used a browser, while those who opted for an email client were few (15%). Notably, 35% of the phishing actors use macOS, which is much higher than the average market share for Apple’s OS. This tells us that crime pays well for phishing actors. And finally, a notable 4% is still using the outdated and insecure Windows 7.

Source: Agari

The third question is where the actors are located, although this is complicated due to the use of proxies and VPN tools. Agari clarified that only 25% of the actors didn’t use some form of a location-masking tool, and from the remainder, they were able to identify a small portion that had IP address leakage problems.

Source: Agari

In summary, the researchers figured the real location of 41% of the actors, and interestingly, China, Russia, and North Korea aren’t even on the list. Those three are typically accused of hacking by western countries, but we can see that they are not involved in petty-level phishing.

Source: Agari

The champion country for this is Nigeria, followed by the United States, South Africa, the UAE, the UK, Turkey, Canada, and Kenya. However, as the researchers point out, Russia, Eastern Europe, and North Africa still play a role in the phishing game, as they are usually involved in the initial compromise stage.



NBCUniversal’s Streaming Platform ‘Peacock’ Is Landing on Amazon’s Fire TV Today

Users of Fire TV devices will finally be able to enjoy ‘Peacock’ content on their Amazon hardware.This has been requested warmly by...

Dell Fixes Multiple BIOS Vulnerabilities Affecting Millions of Its Computers

Tens of millions of Dell computers are vulnerable to arbitrary remote code execution flaws.The problem lies in BIOS components that come as...

Former Executives of French Spyware Firms ‘Nexa’ and ‘Amesys’ Indicted for Aiding Torture

Four former executives of two French spyware firms have been indicted in Paris for aiding torture in Africa.These people were determined to...