[BreachExchange] Israeli firm hacks the hackers, and has advice how to beat them

[Destry Winant]

http://www.timesofisrael.com/israeli-firm-hacks-the-hackers-and-has-advice-how-to-beat-them/

Hackers are a lot like the rest of us, a new study by Israeli
cybersecurity firm Imperva shows.

Just as some honest computer users are quick to respond to phishing
messages – email scams designed to steal personal information – so do
hackers respond to documents and files with titles that hint at the
promise of important information, like credit card details or Social
Security numbers. Just as many users do not take their cybersecurity
seriously, hackers don’t pay much attention to trying to hide their
tracks, leaving themselves open to detection.

And just as most users are too busy and overwhelmed with daily tasks
to deal with the fine points of cybersecurity, so are hackers
overwhelmed with opportunities to hack into accounts that they don’t
have the time or resources to take advantage of.

Those the conclusions of Imperva’s report, “Beyond Takeover – Stories
from a Hacked Account,” in which the firm’s researchers sought to get
into the minds of hackers by doing some “phishing” of their own. Just
as hackers gain entry into their victims’s accounts by dangling email
messages with tantalizing subject lines like “Trump and Hillary’s
Secret Affair – see the pictures here,” the Imperva crew, with help
from students at the Technion-Israel Institute of Technology, set up
“honeypot” accounts.

These fake user accounts included rich content, like accounts for
Gmail, Dropbox, and other online services. Usernames, passwords and
other details were released on the dark web in the hope that hackers
would take the bait. For months, Imperva researchers tracked the
activities of those they hooked in order to determine how the mind of
a hacker works. After getting some 200 hits from hackers on the
compromised accounts, the team began its analysis.

But like among victims who don’t protect their accounts — using for
example, easy-to-guess passwords like “123456” or “password” — many
hackers don’t bother to protect their own identities.

Hackers could take steps to avoid detection by restoring an account
they rifled through to its previous state — deleting sign-in alerts
from inboxes, deleting sent emails that users didn’t send, marking
read messages as unread and editing log files of activity, said the
report

“We were surprised to find that only 17% made any attempt to cover
their tracks. And those who did sparingly used track covering
practices,” said the Imperva team.

Not surprisingly, said the research team, “attackers first and
foremost are looking for sensitive information, such as passwords and
credit cards numbers.”

The compromised accounts included files that indicated that they might
contain important business or banking data, and hackers went for those
first. But, defying researchers’ expectations, the hackers did not
approach the exploration of compromised accounts methodically. The
timing of their work, and the fact that they skipped over some files
with appealing titles but examined others, “indicates that attackers
access the content online manually and do not download and examine it
with automated tools,” as might have been expected, said the report.

Perhaps the most important finding of the study was related to that
lack of automation. “Attackers aren’t quick to act,” said the team.
“More than 50 percent of the accounts were accessed 24-hours or more
after the credential takeover. The result is a brief window where if
the attack is suspected, a quick password change results in a 56
percent chance of preventing an account takeover.”

This means that if hacking victims act quickly enough and change their
password after they suspect their account has been compromised, they
may foil the attackers.

If the password they acquired on the dark web doesn’t work, the
chances are good that hackers will move on, according to the report.

“Less than half of the leaked credentials were exploited by
attackers,” said the team. “One explanation for this could be that
attackers have access to so much data they don’t have enough time to
explore it all.” If that’s the case, hackers would be likely to take
the path of least resistance – attacking only victims they could
easily hack, and moving on to the next target if they encounter
resistance.

“By studying cyberattackers, we’ve learned many things including that
most attackers don’t bother to cover their tracks, which means they
leave evidence behind,” said Itsik Mantin, head of data research at
Imperva.

“Furthermore, if we can quickly detect an attack, we then know that
swift remediation including a simple password change significantly
reduces the odds of a successful attack. This lesson proves the value
of incorporating threat-intelligence and breach detection solutions
that quickly detect and help mitigate this risk.”