Microsoft is fighting hackers by guiding them into authentic-looking mock-ups of customer IT environments. Through these sophisticated honeypots, Microsoft aims to retrieve as much hacker data as possible and disrupt and slow them down in their activities.
In the fight against phishing, Microsoft is going a step further in developing honeypots by enticing hackers with lifelike Microsoft customer environments. These so-called hybrid high interaction honey pots should entice hackers to strike so that security experts can gather information that should lead to their downfall.
To this end, experts have now recreated complete Microsoft customer environments on the phased-out code.microsoft.com. This includes access to Azure, proprietary domain names, thousands of user accounts and active traffic such as internal communications and file sharing.
Through these new advanced traps, Microsoft can then map the phishing criminals’ infrastructure, gain a better understanding of how advanced phishing campaigns operate, disrupt large-scale campaigns, identify the criminals and greatly slow down their activity.
Tactics change
In addition to these new fake environments, security experts have also changed the tactics of using honeypots. Instead of waiting for hackers to find these environments, the experts are now actively confronting them.
To do so, they actively visit known phishing accounts and sites that target Microsoft environments and enter the credentials of the fake accounts and environments there. The login credentials intentionally lack 2FA, the environments contain a lot of realistic-looking data, and attackers can easily get in and waste time investigating whether it is a potential trap.
Collect and delay
Microsoft says it monitors about 25,000 phishing sites daily. Of these, 20 percent are provided with honeypot login credentials and the rest are blocked via CAPTCHA and ati-bot mechanisms.
When honeypot credentials are entered, about 5 percent of the hackers bite. When these gain access to the fake environments, a sophisticated logging process begins to track every action and thus learn their tactics, techniques and procedures.
Data collected in this process includes IP addresses, browsers used, locations, behavior patterns, whether they use VPNs or VPS and what phishing kits they use. When hackers try to interact with the fake environments, Microsoft makes sure to answer as few as possible. According to Microsoft, this eventually causes hackers to spend 30 days figuring out that they have penetrated a fake environment.
With the hackers’ data, Microsoft enables other security teams to build more complex profiles and defenses. Microsoft further indicates that through these advanced “hybrid” honeypots it is able to combat not only not too clever phishing criminals, but also even sophisticated financially motivated hacker groups and even state hackers like the Russian Midnight Blizzard (Nobelium) gang.
Also read: Cybercrime victims suffer £808 loss and mental trauma to boot