Barracuda Networks, the IT and network security and data protection company, recently did some research on account takeovers; such incidents, where attackers steal the credentials of employees and use them to send emails from the user’s real account, are increasing in frequency and magnitude. They can be devastating for their victims and very hard to spot.
Some attackers try to use the hacked email account to launch phishing campaigns that will go undetected, some attackers steal credentials of other employees and sell them in the black market, and others use the account to conduct reconnaissance to launch personalised attacks. The most sophisticated attackers steal the credentials of a key employee (e.g., CEO or CFO), and use them to launch a Business Email Compromise attack from the real employee’s email address.
Over the last few weeks, we have specifically been seeing a large number of mass phishing campaigns that use legitimate compromised accounts from UK based organisations. We surveyed some anonymised examples of these attacks.
Example 1: Attackers leverage major UK university’s reputation to send phishing attacks that bypass email gateways
In this example, the attackers managed to gain entry into a faculty member of a major UK university’s email account. They used it to send a phishing email to a US based company with an email claiming that their email account had been deactivated, to steal the target’s credentials. This email bypassed the system defences because the attack was coming from a legitimate, high reputation sender.
Example 2: UK online retailer compromised, used to impersonate Office 365 90 times
In this example the attacker compromised the email account of a manager at a UK based retailer to send phishing emails to 90 different targets. In these phishing emails, the attacker impersonates Office 365, and tries to get the recipient to sign in to read supposed unread emails.
Example 3: UK-based IT provider email account used to impersonate employee
In this example, the attackers compromised an email account of a reputable UK-based IT provider. They then used that account to send an email impersonating an employee from the target’s company, trying to get them to click on a link. Notice in this example that they fake an email thread, to try to get the employee to believe the email is legitimate. The link itself leads to a compromised website that tries to download malware to the target’s device.
So how big is the account takeover tactic? It’s not just UK organisations who are victim to these kind of attacks. We ran a study on 50 random organisations spanning sectors and asked them to report any account takeovers over three months. Overall four to eight reported at least one account takeover incident a month. On average, each compromise resulted in at least 3 separate account takeover incidents, where either the same or different employees accounts were used.
Most, 78pc of incidents resulted in a phishing email where the goal of the attacker was typically to infect additional internal and external accounts. The attackers sometimes made the email appear as if the employee is sending an invitation to a link from a popular web services, such as OneDrive or Docusign.
Another 17pc of incidents were used as platforms for sending spam. Attackers love using compromised accounts as vehicles for launching spam because the accounts often have very high reputations: they are coming from reputable domains, from the correct IP, and from real people that have a legitimate email history. They are much less likely to get blocked by email security systems that rely on domain, sender or IP reputation. Some 5pc of incidents resulted in the attacker asking the recipient to download an attachment. This is effective because most email security systems do not scan internal traffic for threats, allowing attackers to send malware with ease.
We also analysed the roles of those compromised. Sixty email accounts were compromised; some multiple times. Only 6pc were executives. In fact, the vast majority were in either entry-level or mid-management roles, suggesting it’s not just high level employees who are targeted but those who have less cyber security training.
Some 22pc of compromised employees worked in sensitive departments, such as HR, IT, finance and legal. However, the percentage of the workforce we studied in these roles is much lower than 22pc. Therefore, this shows that while these incidents are widespread, there are still specific departments that are the most lucrative targets for information and financial theft.
What can you do to protect yourself?
●Traditional email security filters cannot detect and prevent account takeover, because they do not monitor and stop malicious internal communication. Ideally you need to employ a solution that leverages artificial intelligence to identify any anomalous email behaviour.
●Another essential aspect of protecting yourself is through training and awareness. Employees need continuous simulation and training to understand the latest attack techniques and recognise subtle clues.
●It may sound basic, but using strong passwords is a great way to decrease the probability of email accounts getting compromised. Good passwords are long, unpredictable and complex, using a combination of uppercase letters, lower case letters, numbers, and special characters.
●Multi-factor authentication (MFA), where two forms of authentication are needed to login to an account is imperative to stop these kinds of attacks taking place. Even if a user’s login credentials are stolen, without the trusted device, an attacker cannot access the account, and if a user’s device is taken, the attacker cannot access the account without the login credentials.
