Email account hijackers have created a specialized economy in which they sell account information to other cyber criminals while often dwelling in accounts for extended periods, according to "Spear Phishing Top Threats and Trends," a study by Barracuda.
The study found that attackers dwell in over 37% of compromised accounts for at least one week.
For 49%, the compromise lasts fewer than 24 hours, and for 14%, from one day to one week. And it goes on for more than one month for 4%.
In addition, 20% of compromised accounts turn up in at least one password data breach.
But only 7% of the purloined accounts are used to send phishing emails. Of those, 37% take less than one day; 63%, three days.
In 31% of the cases, attackers sell account access to other attackers, who then try to monetize the hijacked accounts.
However, in 50% of the incidents, the same party compromises and utilizes the account. Another 19% of the episodes are “unclassified.”
Of the attacks observed, 78% only access email-related Office 365 applications, and 22% went for non-email uses, including Microsoft Sharepoint.
“Cybercriminals are getting stealthier and finding new ways to remain undetected in compromised accounts for long periods of time so they can maximize the ways they can exploit the account, whether that means selling the credentials or using the access themselves,” states Don MacLennan, senior vice president, engineering, email protection at Barracuda.
Researchers at Barracuda and UC Berkeley studied 159 compromised accounts spanning 111 organizations. They explored ISP data, devices used to perform activities, geo-location of access, duration of an attack and the length of time gaps in attacker activity.