The chances are, you’d be more inclined to open and act on an email from a colleague, friend or someone you know as opposed to someone you don’t. Cybercriminals know this, which is why they are sending attacks to your friends and colleagues—from your email account.
In our latest Threat Spotlight, we’re taking a look at a couple of real account takeover attacks that have been dissected by the Barracuda Sentinel team. Here’s what we found:
Cybercriminals take over user accounts and send fake emails to the users’ colleagues and contacts. The emails sent contain fake links, including a fake OneDrive share link that is used to steal credentials and take over more accounts.
In this first example, criminals took over an account of a finance employee. The employee most likely followed a phishing link from the attackers, which prompted them to enter their credentials into a fake Outlook sign-in page. Once they did that, the criminals had their credentials, and could use them to access the email account. The criminals then sent out emails to over a dozen members of the finance team from the compromised account. The goal of the compromised emails was to steal additional credentials. Here’s the message that was sent:
On their own, stolen credentials of a reputable organization are worth a handsome sum in the dark web. They can be sold to launch additional phishing campaigns, which will have a high chance of success since it would be coming from a high-reputation domain.
In addition, these stolen credentials can be used to conduct spear phishing, or CEO fraud attacks. In these attacks, the hackers send an email from the compromised account with the goal of tricking the recipient (who is usually in the finance department) to send a wire transfer to a bank account owned by the attacker.
There are many variants of emails cybercriminals use to steal credentials. For example, we’ve also seen attempts where a phishing email will be sent out to users that includes a OneDrive share link in the body—like in the example below.
Similar to what we saw in the first example, a user’s email account was also taken over; however, this time the criminals took a different approach with the included link. They included a OneDrive share link that when clicked, will lead to a fake sign-in page used to steal credentials.
In this particular attack, the criminals logged in multiple times to the user’s account, gathered targets from the user’s address book, and sent out hundreds of emails to both employees and external contacts.
As you can see, once criminals steal user credentials, these attacks can snowball quickly. And what’s really scary, is that standard email security solutions won’t detect these types of attacks because they originate from internal emails.
To recap, the techniques used in these attacks are:
Impersonation: Criminals impersonate colleagues or contacts to get users to act on their requests.
Phishing: Emails are sent out to users to initiate the attack to steal their credentials.
So, how can users stay out of harm’s way?
Real-Time Spear Phishing and Cyber Fraud Defense — Barracuda Sentinel is the only solution in the market that can automatically prevent email account takeover. It utilizes AI to learn an organization’s communications history and prevent future spear phishing attacks. It combines three powerful layers: an artificial intelligence engine that stops spear phishing attacks in real-time, including emails that originate from within the company; domain fraud visibility using DMARC authentication to guard against domain spoofing and brand hijacking; and fraud simulation training for high-risk individuals.
User Training and Awareness — Employees should be regularly trained and tested to increase their security awareness of various targeted attacks. Simulated attack training is by far the most effective form of training. A solution like Barracuda PhishLine provides comprehensive, SCORM-compliant user training and testing as well as phishing simulation for emails, voicemail, and SMS along with other helpful tools to train users to identify cyberattacks.
Asaf Cidon is a professor of electrical engineering and computer science at Columbia University and a Barracuda adviser. He previously served as vice president of content security services at Barracuda Networks. In this role, he was one of the leaders for Barracuda Sentinel, the company's AI solution for real-time spear phishing and cyber fraud defense. Asaf was previously CEO and co-founder of Sookasa, a cloud storage security startup that was acquired by Barracuda. Prior to that, he completed his PhD at Stanford, where his research focused on cloud storage reliability and performance. He also worked at Google’s web search engineering team. Asaf holds a PhD and MS in Electrical Engineering from Stanford, and BSc in Computer Engineering from the Technion.