After collecting info on the victim a phishing attack ensues

Nov 7, 2014 17:59 GMT  ·  By

Most account takeover attacks are carried out using automated tools, but a recent study reveals that a manual approach is more rewarding for the cybercriminals.

Google released the result of a research on targeted incidents conducted through non-automated efforts, called “manual hijacking.” It requires considerably more time for profiling the victims and is very rare, only nine attempts occurring in a day per million users.

Crooks work by a timetable, with one-hour lunch break

The company defines these attempts as follows: “Manual hijacking consist of attack that opportunistically select victims with the intent of monetizing the victim’s contacts or personal data; any sufficient lucrative credential will suffice. These attacks are carried manually rather than automatically.”

Phishing is the method most often used by the crooks to achieve their goal, and as observed by Google, the most believable page imitations have a 45% success rate, while those most obvious to be a scam trick users only 3% of the time.

According to the study from Google, there is circumstantial evidence to support the theory that manual hijackers work in an organized manner; they were observed to respect a daily schedule with a synchronized one-hour lunch break and their activity was considerably reduced during weekends.

Furthermore, although they operated from different IP addresses and on different targets, they used the same tools and even shared some of the resources, like phone numbers.

Two major groups have been identified

Referring to the origin of this activity, Google says that most of the IP addresses belonged to machines located in China and Malaysia. However, it is difficult to determine the true region where the attackers live since they could be relying on proxies.

On the other hand, Google also relied on the phone numbers used by the crooks, which helped them identify two groups: one in Nigeria and one in the Ivory Coast, each accounting for more than 31% of the numbers, based on country code.

This evidence is based on old data, from 2012, when cybercriminals gave up using them to lock users out of the account by enabling two-factor authentication (2FA), because the method proved to be ineffective for them.

“Anecdotal evidence suggest that the Ivory Coast specialize in scamming French speaking countries where as the Nigeria focus on English speaking countries,” the report says; these are the native languages for each of the countries.

Detecting manual hijacking is particularly difficult mainly because of its low volume and the versatility of the crooks.

As far as defense is concerned, the researchers recommend using 2FA to protect access to an online account.