When it comes to IT security, most people are aware of the traditional ways in which cybercriminals go about their work. There are phishing scams, fake websites, infected email attachments, and even USB keys containing malicious code that springs into action when inserted into a personal computer or mobile device.
However, a relatively new entrant into the cybersecurity landscape is a strategy that is gaining traction among cybercriminals around the world. Dubbed conversation hijacking, it is becoming a popular way for criminals to mount an Account Takeover, ATO, attack that can be highly effective and alarmingly difficult to detect.
Research undertaken by Barracuda Networks, based on analysis of approximately 500,000 monthly email attacks, revealed a 400% increase in this threat vector over a 12-month period. It is likely that this growth rate will continue through this year.
Conversation hijacking is becoming a popular way for criminals to mount an Account Takeover attack.
Conversation hijacking occurs when a cybercriminal either inserts themselves into existing email conversations or begins new ones using information, they have gleaned from compromised email accounts or other online sources.
Conversation hijacking occurs when a cybercriminal either inserts themselves into existing email conversations or begins new ones using information, they have gleaned from compromised email accounts or other online sources.
Overcoming the threat of conversation hijacking requires a mix of both security technologies and user education.
On gaining access to an email account, the criminal spends time reading emails to learn as much as possible about the authorised user. This can be used to craft convincing fake emails and even trick users into sharing sensitive passwords, data, or access to secure servers.
Criminals can even use email-domain impersonation techniques. This allows them to create seemingly legitimate sounding messages that appear to have come from a real address. This might appear to be the domain of another part of the business or a trusted external party.
Criminals can even use email-domain impersonation techniques.
Overcoming the threat of conversation hijacking requires a mix of both security technologies and user education. This is because these attacks are much more sophisticated than standard phishing attempts.
Cybercriminals can spend months gathering enough intelligence to allow them to impersonate company executives, business partners or even customers. The tell-tale signs of a typical phishing scheme are not in evidence and so it can be much more challenging for both security teams and staff to spot a fraudulent email.
Regular training of all staff is vital.
Some of the key steps that can be taken to reduce the likelihood of a successful conversation hijacking attack include:
• Education: Regular training of all staff is vital. This training should cover what these attacks look like, how they can be identified, and the danger they pose. It is also important that training is held at regular intervals so that new staff members are also made aware of the threat.
• Security policies: These should be designed to prevent data sharing and fraudulent money transfers as it is natural for staff to let their guard down when they think they are working with a trusted colleague partner, or customer. There should be formal requirements for things such as phone confirmations, in-person discussions, or third-party approvals.
• Protection platform: Multi-factor authentication adds a security layer, while advanced, AI-based solutions can help recognise compromised accounts automatically and alert users and IT security teams. Such AI-based tools can be very effective as they do not rely on looking for malicious links or attachments to spot vulnerabilities. Instead, the machine learning engines in these solutions learn what normal communication patterns look like, and then spot deviations that might indicate a compromised account.
• Constant monitoring: Security tools can also help the search for unusual IP addresses or logins from unexpected locations. Changes in email account inbox rules can also indicate an account takeover, so the ability to automatically monitor those changes is critical.
Private conversations are now a prime target for cybercriminals, writes Toni El Inati of Barracuda Networks.