When it comes to IT security, most people are well aware of the traditional ways in which cyber criminals go about their work.
There are phishing scams, fake websites, infected email attachments, and even USB keys containing malicious code that springs into action when inserted into a personal computer or mobile device.
However, there is now another strategy that’s gaining traction among cyber crooks around the world. Dubbed ‘conversation hijacking’, it’s becoming a popular way for criminals to mount an Account Takeover (ATO) attack that can be highly effective and alarmingly difficult to detect.
Research undertaken by Barracuda Networks, based on analysis of approximately 500,000 monthly email attacks, revealed a 400 per cent increase in a 12-month period. It’s likely that this growth rate will continue during 2021.
Conversation hijacking occurs when a cyber criminal either inserts themselves into existing email conversations or begins new ones using information they have gleaned from a compromised email account or other online source.
Once they have gained access to an email account, the criminal spends time reading emails to learn as much as possible about the authorised user. This can be used to craft convincing fake emails and even trick users into sharing sensitive passwords, data, or access to secure servers.
Criminals can even use email-domain impersonation techniques. This allows them to create seemingly legitimate sounding messages that appear to have come from a real address. This might appear to be the domain of another part of the business or a trusted external party.
Mix of technology and education
Overcoming the threat of conversation hijacking requires a mix of both security technologies and user education. This is because these attacks are much more sophisticated than standard phishing attempts.
Cyber criminals can spend months gathering enough intelligence to allow them to impersonate company executives, business partners or even customers. The tell-tale signs of a typical phishing scheme are not in evidence and so it can be much more challenging for both security teams and staff to spot a fraudulent email.
This is why employee training is so vital. According to the ACSC Small Business Survey Report (July 2020), “nearly one in 10 were unable to explain cyber threat terminology such as malware, phishing, ransomware or insider threats”. The OAIC Notifiable Data Breaches Report: January-July 2020 also found that data breaches 34 per cent of all breaches result from human error. Staff need to understand that they must watch for signs of a potential account takeover. They also need to be on watch for suspicious communications or requests that seem out of the ordinary. This might be an odd request for a bill payment or an email seeking login or security details.
Some of the key steps that can be taken to reduce the likelihood of a successful conversation hijacking attack include:
- Education: Regular training of all staff is vital. This training should cover what these attacks look like, how they can be identified, and the danger they pose. It’s also important that training is held at regular intervals so that new staff members are also made aware of the threat.
- Security policies: Strong internal security policies need to be adopted and followed across the organisation. These should be designed to prevent data sharing and fraudulent money transfers as it’s natural for staff to let their guard down when they think they are working with a trusted colleague partner, or customer. There should be formal requirements for things such as phone confirmations, in-person discussions, or third-party approvals.
- Protection platform: It’s important to implement email hijacking protection as part of a robust, comprehensive cybersecurity platform. Multi-factor authentication (MFA) adds a security layer, while advanced, artificial intelligence-based solutions can help recognise compromised accounts automatically and alert users and IT security teams. Such AI-based tools can be very effective as they do not rely on looking for malicious links or attachments to spot vulnerabilities. Instead, the machine learning (ML) engines in these solutions learn what normal communication patterns look like, and then spot deviations that might indicate a compromised account.
- Constant monitoring: At all times, it is necessary to maintain a close eye on account logins and domain registrations. Security tools can also help the search for unusual IP addresses or logins from unexpected locations. Changes in email account inbox rules can also indicate an account takeover, so the ability to automatically monitor those changes is critical.
Monitor for similar-sounding domain registrations and other indicators that an attack might be underway or that someone is planning a future attack.
Although awareness of conversation hijacking is still relatively low within many Australian organisations, the potential threats it can create are significant. By taking time to understand the threat and the best means of guarding against it, businesses can reduce the changes that they will become a victim in the coming year.
Luke Smith is the regional account director, APAC, at Barracuda MSP.