Account takeover continues to be one of the fastest growing email security threats, but attackers are starting to adapt, introducing new ways to exploit compromised accounts
A study conducted by Barracuda and researchers at UC Berkeley and UC San Diego, found that over the past seven months, one in seven organisations experienced lateral phishing attacks, – where attackers use hijacked accounts they’ve recently compromised to send phishing emails to an array of recipients, ranging from close contacts within the company to partners at other organisations.
One of the most striking aspects of this emerging attack is the scale of potential victims that the attackers target. Due to the implicit trust in the legitimate accounts they’ve compromised, attackers often use compromised accounts to send lateral phishing emails to dozens, if not hundreds, of other organisations so they can spread the attack more broadly. However, by targeting such a wide range of victims and external organisations, these attacks ultimately lead to increasingly large reputational harm for the initial victim organisation.
Of the organisations that experienced lateral phishing, more than 60 per cent had multiple compromised accounts. Some had dozens of compromised accounts that sent lateral phishing attacks to additional employee accounts and users at other organisations. In total, researchers identified 154 hijacked accounts that collectively sent hundreds of lateral phishing emails to more than 100,000 unique recipients.
While roughly 40 per cent of these recipients were fellow employees at the same company as the hijacked account, the remaining 60,000 recipients spanned a range of victims, from personal email addresses that might have been drawn from the hijacked account’s contact book to business email addresses of employees at partner organisations.
There are three critical precautions that can be taken to help protect against lateral phishing attacks – security awareness training, advanced detection techniques and two-factor authentication.
Chris Ross, SVP International at Barracuda Networks, says that the channel needs to ensure that customers don’t become lateral phishing’s next victim. “In an era of security skills shortages, combined with ever-more sophisticated cyber-attacks, end-users are increasingly relying on the channel to fill this widening gap. The channel have become trusted partners, end-users rely on them to provide the right expertise and tools, as well as give advice on emerging threats such as lateral phishing,” he said.
Ross argues that if channel partners provide end-users with adequate security awareness training, lateral phishing will be less successful. “Unlike traditional phishing attacks, which often use a fake or forged email address to send the attack email, lateral phishing attacks are sent from a legitimate but compromised account. As a result, telling end-users to check the sender properties or email headers to identify a fake or spoofed sender, no longer applies.”
He continued: “Users can often still carefully check the URL of any link before they click it to help them identify a lateral phishing attack. It is important that they check the actual destination of a link in any email, and not just the URL text that is displayed in the email.”
A sophisticated evolution
Lateral phishing represents a sophisticated evolution in the space of email-based attacks. Because the phishing emails now come from a legitimate email account, these attacks are becoming increasingly difficult for even trained and knowledgeable users to detect.
“The channel should be advising organisations on the use of advanced detection techniques and services that use artificial intelligence and machine learning to automatically identify phishing emails, rather than a user identifying this threat by themselves,” Ross warned.
“Finally, one of the most important things that the channel can do to help organisations mitigate the risk of lateral phishing is to advise the use of a strong two-factor authentication (2FA), such as a two-factor authentication app or a hardware-based token if available. While non-hardware based 2FA solutions remain susceptible to phishing, they can help limit and curtail an attacker’s access to compromised accounts,” he said in conclusion.
Productivity under threat
A recent Barracuda survey found that 40 per cent of IT professionals in EMEA consider email security attacks to have a negative impact on employee productivity
Key findings include:
EMEA IT teams receive more suspicious emails than the global average, with seven per cent receiving over 50 per day and a third receiving between six and 50 per day.
Although 44 per cent of respondents agreed that very few (less than 10 per cent) of the suspicious emails reported turn out to be fraudulent, the time taken to identify and respond to email reports on this scale is taking its toll on IT teams’ productivity.
The vast majority (81 per cent) admitted spending over 30 minutes investigating and remediating each email attack, while 47 per cent spend over an hour per attack.