Attackers from 44 countries used look-alike cloud portals to collect users' credentials, verified the majority of username-password combination in hours, and used them to send malicious payloads and spam to other Internet users and to conduct business email compromise (BEC), email-security firm Agari states in a new report.
The report summarizes a six-month study by Agari researchers, who created an automated system to create 8,000 email accounts and submit them to phishing sites after those sites were discovered. The majority of phishing sites mimicked a Microsoft account or a specific Microsoft service, but a significant number of sites — 26% — were disguised as the login for Adobe Document Cloud.
The attackers also did not give defenders much time to react to a credential compromise, says Crane Hasson, senior director of threat research at Agari. Half of all credentials were verified in 12 hours, and nearly all of the email credentials (91%) were verified in a week.
"Because there's such a big online economy for compromised accounts, many people have the perception that these accounts sit idly by for a period of time before they're sold," he says. "Our research shows this isn't the case."
With more companies moving infrastructure to the cloud, credentials have become the coin of the digital realm. In 2020, attackers inundated websites with credential stuffing attacks — using stolen usernames, email addresses, and passwords against a variety of sites — with Internet infrastructure firm Akamai seeing more than 193 billion failed attempts by attackers to access sites.
