About half of the accounts whose credentials are stolen as a result of phishing attacks are manually tried within 12 hours from when the user / password binomial becomes public domain.
They are the security researchers of Agari who have highlighted the dynamics, disseminating on the web thousands of fake credentials but concocted to pass as their own of real users subscribed to cloud services. In particular, the credentials were circulated on “underground” websites and forums known to host lists of usernames and passwords stolen following cyber attacks or incidents.
The analysis was conducted over a period of six months, finding that the access to the accounts is done manually within a few hours of the circulation of the credentials. Access is made for about half of the accounts within 12 hours from the actual circulation of the credentials. 20% within one hour and 40% within six hours. The data collected by the Agari researchers show that everything is exploited as quickly as possible. On the other hand, although users may only discover after a long time that their account has been compromised, it is in the interests of attackers to exploit these accounts as soon as possible to prevent them from being made inaccessible by a simple password change.
Quite surprisingly, almost all accounts are manually tried. This allows attackers to accurately prove their credentials, as well as perform other malicious actions or retrieve additional valuable information such as other credentials or sensitive data. This is a modus operandi that has its own effectiveness: if you have credentials stolen through a phishing campaign, you can compromise an account, exploit it for further phishing campaigns that can compromise other accounts, and so on.
The researchers then observe that the compromised accounts come often abandoned within a week, probably because the attackers took advantage of everything they could exploit and moved to other new accounts.