New phishing attack hijacks email conversations: How companies can protect employees
By inserting themselves into business emails among employees, cybercriminals can trick victims into wiring money or sharing payment information, says security firm Barracuda Networks.
Cybercriminals use a variety of tricks to try to convince unsuspecting users to reveal sensitive and valuable information. Phishing is a well-known and general method. A more specific and direct technique gaining traction is conversation hijacking. By impersonating employees or other trusted individuals and inserting themselves in a message thread, criminals try to obtain money or financial information. But there are ways to protect your company and employees from this type of attack, according to a new report from Barracuda Networks.
SEE: Phishing attacks: A guide for IT pros (free PDF) (TechRepublic)
Here’s how the process typically works, according to Barracuda. Cybercriminals start by impersonating an organization’s domain. Through domain impersonation or spoofing, attackers send emails to employees with phony domain names that appear legitimate or create websites with altered names. Phony domain names can be concocted and registered by slightly adjusting certain characters in the actual name or changing the Top-Level-Domain (TLD), for example, replacing .com with .net.
Researchers at Barracuda said that over the past few months they’ve seen a dramatic rise in domain-impersonation attacks used to facilitate conversation hijacking. An analysis of around 500,000 monthly email attacks showed a gain of 400% in domain-impersonation attacks used for conversation hijacking. Such attacks as seen in the emails analyzed by Barracuda rose from 500 in July 2019 to more than 2,000 in November.
Although the level of conversation hijacking in domain-impersonation attacks is low compared with other types of phishing attacks, they’re personalized. That makes them effective, hard to detect, and costly, according to Barracuda.
After impersonating a domain, cybercriminals begin the process of conversation hijacking. By infiltrating an organization, attackers will compromise email accounts and other sources. They then spend time monitoring the compromised accounts and reading emails to understand the business and learn about any deals, payment processes, and other activities. This step is also where they can snoop on email conversations between employees, external partners, and customers.
Attackers will leverage the information they’ve picked up from the compromised accounts to devise convincing messages sent from the impersonated domain to trick employees into wiring money or updating and sharing payment information.
The entire process of impersonating a domain, monitoring compromised accounts, and hijacking conversations can be expensive and time-consuming. But for a patient criminal, the cost and time are worth the effort as these types of attacks are usually more successful than more general phishing expeditions.
SEE: Security response policy (TechRepublic Premium)
How to protect your organization from domain impersonation and conversation hijacking
To help your organization protect itself and its employees from domain impersonation and conversation hijacking, Barracuda offers the following pieces of advice:
- Train employees to recognize and report attacks. Educate your users about email attacks, including those involving conversation hijacking and domain impersonation. Make sure they can recognize such attacks, understand their nature, and know how to report them. Use phishing simulation to train employees to identify cyberattacks, to test the effectiveness of your training, and to evaluate the people most vulnerable to attacks.
- Deploy account-takeover protection. Many conversation hijacking attacks start with taking over and compromising an account. Make sure that scammers aren’t using your own organization to launch such attacks. Use multi-factor authentication to provide an extra layer of security beyond a username and password. Implement technology that recognizes when accounts have been compromised, that can resolve the issue in real time by alerting affected users, and that can remove malicious emails sent from compromised accounts.
- Monitor inbox rules, account logins, and domain registrations. Use technology to identify suspicious activity, including logins from unusual locations and IP addresses, a possible sign of a compromised account. Monitor email accounts for malicious inbox rules as they are often used for account takeovers. Keep an eye on new domain registrations that could potentially be used for impersonation through typo-squatting techniques. Considering purchasing alternative domain names closely related to your current one to avoid fraudulent use by cybercriminals.
- Leverage artificial intelligence. Scammers are adapting their email tactics to sneak past gateways and spam filters, so you need to have an artificial intelligence solution in place to detect and block attacks, including account takeovers and domain impersonation. Use specific technology that doesn’t rely solely on finding malicious links or attachments. Use machine learning to analyze normal communication patterns within your organization to spot anomalies that may indicate an attack.
- Strengthen internal policies. Help employees avoid costly mistakes by creating guidelines and putting procedures in place to confirm all email requests for wire transfers and payment changes. Require in-person or telephone confirmation and/or approval from multiple people for all financial transactions.