Hackers are a lot like the rest of us, a new study by Israeli cybersecurity firm Imperva shows.
Just as some honest computer users are quick to respond to phishing messages – email scams designed to steal personal information – so do hackers respond to documents and files with titles that hint at the promise of important information, like credit card details or Social Security numbers. Just as many users do not take their cybersecurity seriously, hackers don’t pay much attention to trying to hide their tracks, leaving themselves open to detection.
And just as most users are too busy and overwhelmed with daily tasks to deal with the fine points of cybersecurity, so are hackers overwhelmed with opportunities to hack into accounts that they don’t have the time or resources to take advantage of.
Those the conclusions of Imperva’s report, “Beyond Takeover – Stories from a Hacked Account,” in which the firm’s researchers sought to get into the minds of hackers by doing some “phishing” of their own. Just as hackers gain entry into their victims’s accounts by dangling email messages with tantalizing subject lines like “Trump and Hillary’s Secret Affair – see the pictures here,” the Imperva crew, with help from students at the Technion-Israel Institute of Technology, set up “honeypot” accounts.
These fake user accounts included rich content, like accounts for Gmail, Dropbox, and other online services. Usernames, passwords and other details were released on the dark web in the hope that hackers would take the bait. For months, Imperva researchers tracked the activities of those they hooked in order to determine how the mind of a hacker works. After getting some 200 hits from hackers on the compromised accounts, the team began its analysis.
But like among victims who don’t protect their accounts — using for example, easy-to-guess passwords like “123456” or “password” — many hackers don’t bother to protect their own identities.
Hackers could take steps to avoid detection by restoring an account they rifled through to its previous state — deleting sign-in alerts from inboxes, deleting sent emails that users didn’t send, marking read messages as unread and editing log files of activity, said the report
“We were surprised to find that only 17% made any attempt to cover their tracks. And those who did sparingly used track covering practices,” said the Imperva team.
Not surprisingly, said the research team, “attackers first and foremost are looking for sensitive information, such as passwords and credit cards numbers.”
The compromised accounts included files that indicated that they might contain important business or banking data, and hackers went for those first. But, defying researchers’ expectations, the hackers did not approach the exploration of compromised accounts methodically. The timing of their work, and the fact that they skipped over some files with appealing titles but examined others, “indicates that attackers access the content online manually and do not download and examine it with automated tools,” as might have been expected, said the report.
Perhaps the most important finding of the study was related to that lack of automation. “Attackers aren’t quick to act,” said the team. “More than 50 percent of the accounts were accessed 24-hours or more after the credential takeover. The result is a brief window where if the attack is suspected, a quick password change results in a 56 percent chance of preventing an account takeover.”
This means that if hacking victims act quickly enough and change their password after they suspect their account has been compromised, they may foil the attackers.
If the password they acquired on the dark web doesn’t work, the chances are good that hackers will move on, according to the report.
“Less than half of the leaked credentials were exploited by attackers,” said the team. “One explanation for this could be that attackers have access to so much data they don’t have enough time to explore it all.” If that’s the case, hackers would be likely to take the path of least resistance – attacking only victims they could easily hack, and moving on to the next target if they encounter resistance.
“By studying cyberattackers, we’ve learned many things including that most attackers don’t bother to cover their tracks, which means they leave evidence behind,” said Itsik Mantin, head of data research at Imperva.
“Furthermore, if we can quickly detect an attack, we then know that swift remediation including a simple password change significantly reduces the odds of a successful attack. This lesson proves the value of incorporating threat-intelligence and breach detection solutions that quickly detect and help mitigate this risk.”