Campbell, California-based information technology security solutions provider Barracuda Networks has found a 400 % rise in domain-impersonation attacks used for conversation hijacking.
Although not as common as phishing, domain-impersonation attacks have grown both in terms of sophistication and frequency.
Conversation hijacking criminals insert themselves into existing business conversations or initiate new conversations based on information they collect from a compromised email account.
Attackers read through emails and monitor the compromised account to understand business operations and learn about deals in progress, payment procedures, and other details.
In domain impersonation, including typo-squatting, cybercriminals use various techniques such as replacing one letter in a legitimate URL with a similar letter or adding an unnoticeable letter to the legitimate URL.
Generic fake emails have been around for quite a while now. The report, Barracuda Threat Spotlight for the month of Jan 2020, highlights how cybercriminals are using conversation hijacking to steal money and sensitive personal information. In other words, attacks are now more personal and difficult to detect.
Late last year, a Chinese venture capital firm lost $1 million when hackers inserted themselves in the conversation between the firm and a startup and siphoned off the money. In this case, hackers intercepted communication and created fake domains to dupe the firm.
In the current study, researchers at Barracuda saw a 400% increase in domain-impersonation attacks used for conversation hijacking. In July 2019, there were about 500 of this type of domain-impersonation attack in the emails analysed, and that number grew to more than 2,000 in November. For the study, researchers looked at data of some 500,000 monthly email attacks.
“While the volume of conversation hijacking in domain-impersonation attacks is extremely low compared to other types of phishing attacks, these sophisticated attacks are very personalized, making them effective, hard to detect and costly,” Barracuda said in a statement.
Cybercriminals rarely use the compromised accounts for conversation hijacking. Instead, attackers use email-domain impersonation. Criminals are also spending more time and effort in attacks in the hopes of a larger payout. In the case of the aforementioned Chinese firm, hackers read through several emails and created domains with an extra “s” at the end of the domain name to avoid detection.
“They leverage information from the compromised accounts, including internal and external conversations between employees, partners, and customers, to craft convincing messages, send them from impersonated domains, and trick victims into wiring money or updating payment information,” according to the statement.
Barracuda has also listed out ways in which companies can avoid email attacks.
Educating employees about the email attacks, including conversation hijacking and domain impersonation as part of security awareness training. Ensuring staffers recognise attacks and knows how to report them instantly.
Deploy account-takeover protection
Using a multi-factor authentication to provide an additional layer of security above and beyond a username and password, could block possible scammers from hijacking organisations accounts.
Monitor inbox rules, account logins, and domain registrations
Make sure to monitor email accounts for malicious inbox rules, as they are often used as part of account takeover. Criminals log into the compromised account, create forwarding rules, and hide or delete any email they send from the account, to try to cover their tracks. Keep an eye on new domain registrations that could potentially be used for impersonation through typo-squatting techniques. Many organisations choose to purchase domains that are closely related to their own to avoid potential fraudulent use by cybercriminals.
Leverage artificial intelligence
Scammers are adapting email tactics to bypass gateways and spam filters, so it’s critical to have a solution in place that uses artificial intelligence to detect and block attacks, including account takeover and domain impersonation.
Strengthen internal policies
By helping employees avoid making costly mistakes by creating guidelines and putting procedures in place to confirm all email requests for wire transfers and payment changes. Require in-person or telephone confirmation and/or approval from multiple people for all financial transactions.