Barracuda: Follow-Up Phishing Attacks on the Rise

Cybercriminals are getting craftier and sneakier when it comes to email account takeover attacks, according to new research from Barracuda and UC Burkeley.

Researchers conducted a large-scale analysis of email account takeover and the timeline of attacks, the behaviors hackers are using to try to avoid detection, ways to identify suspicious activity that could indicate an email account has been compromised, and precautions businesses can take to protect themselves.

Among the key findings:

• Attacks are spread out over a period of time; they don’t always happen as soon as the account is compromised.
• Attackers are getting smarter about geography; they send phishing emails and perform other actions from IPs tied to similar regions and countries of the hacked account.
• IP addresses and ISPs provide important clues as attackers tend to use anonymous IPs belonging to ISPs that are different from the hacked account’s provider.

Asaf Cidon, professor of electrical engineering and computer science at Columbia University and a Barracuda adviser, tells us organizations often don’t have security solutions that detect compromised accounts and phishing email coming from internal mailboxes.

Asaf Cidon

“Traditional email security gateways do not detect such attacks,” he said. “In addition, it is important to make sure organizations are equipped to respond to internal threats, and are able to block the compromised accounts, and track down all the malicious activity that originated from that account.”

The MSSP community can be on the frontline of defending against account takeover, both from helping customers deploy solutions that can detect these attacks, and in leading the response and remediation of these attacks after they occur, Cidon said.

“In addition, they can implement security awareness training programs in the organizations to increase their awareness of these types of attacks,” he said.

Cybercriminals use brand impersonation, social engineering and phishing to steal login credentials and access an email account, according to the research. Once the account is compromised, hackers monitor and track activity to learn how the company does business, the email signatures they use and the way financial transactions are handled so they can launch subsequent phishing attacks, including harvesting financial information and additional login credentials for other accounts, it said.

Hackers execute account takeover attacks using a variety of methods. In some cases, hackers leverage usernames and passwords acquired in previous data breaches. Due to the fact that people often use the same password for different accounts, hackers are able to successfully reuse the stolen credentials and gain access to additional accounts. Hackers also use stolen passwords for personal emails and use access to that account to try to get access to business email.

Brute-force attacks also are used to successfully take over accounts because people use very simple passwords that are easy to guess and they don’t change them often enough. Attacks also come via web and business applications, including text messages, according to the research.

Barracuda recommends the following precautionary measures:

• Get granular with your monitoring, use technology to identify suspicious activity, including logins at unusual times of the day or from unusual locations and IP addresses, which are potential signs of a compromised account.
• Educate users about spear phishing attacks by making it a part of security awareness training.
• Use multifactor authentication (MFA), which provides an additional layer of security above and beyond username and password, such as an authentication code, thumb print or retinal scan.
• Using machine learning to analyze normal communication patterns within your organization allows you to spot anomalies that may indicate an attack.
• Deploy technology that uses AI to recognize when accounts have been compromised and that remediates in real time by alerting users and removing malicious emails sent from compromised accounts.

“We predict that we will see more of these attacks,” Cidon said. “In general, we have seen a rapid rise of these attacks in the past one-and-a-half years. Attackers are motivated by economics, and the reason these attacks are increasing in frequency is because they are simply very successful, and most organizations are not well-equipped to prevent and remediate them.”