A growing threat targeting the enterprise are phishing scams targeting users from compromised email accounts in the same organization. This type of attack is called lateral phishing as it is conducted from an email address within, rather than outside, the organization.
When attackers perform a phishing attack, the goal is to convince the target that the email is legitimate so as to coerce them into performing a particular action. What better way to convince a user that an email is legitimate then using a hacked email account from someone they normally correspond with?
In a new report conducted by Barracuda, UC Berkeley and UC San Diego, researchers analyzed lateral phishing attacks conducted against nearly 100 organizations and the tactics and outcomes of these campaigns.
Unlike BEC scams, that also utilize compromised email accounts, lateral phishing scams are typically used for credential theft rather than to convince an organization to wire money to fraudulent bank accounts.
Lateral phishing attacks are successful
While studying 180 lateral phishing attacks, the researchers determined that 11% of the attacks were successful in compromising other victims in the same organization. Furthermore, of these attacks, 42% were not reported to the organizations IT department or security team, which may have allowed the accounts to be used for multiple attacks.
When performing the attacks, the scammers either performed agnostic and opportunistic attacks, targeted a particular recipient, sent the email out to the entire organization, or sent them outside an organization to their partners.
Of the all of these targeting strategies, 45% of them appeared to opportunistic, or agnostic, targeting.
When performing the attacks, the researchers found that the majority pretended to be either alerts stating there was a problem with the recipient’s email account or a link to a shared document. These emails would contain links that brought the recipients to phishing sites containing fake login forms that would be used to steal credentials.
Of these emails, most used generic messages or enterprise-focused message, but a small percentage were highly targeted towards a particular organization.
“Among the incidents studied, 63 percent of the attacks used commonplace variants of the “shared document” and “account problem” messages (e.g., “You have a new shared document”). However, 30 percent of the incidents used more refined messages, modifying the language to target enterprise organizations (e.g., “Updated work schedule. Please distribute to your teams”). In the most sophisticated approach, 7 percent of the attacks involved highly targeted content that was specific to the hijacked account’s organization.”
To avoid being detected by the owner of the hacked account, some attackers would actively delete emails that they send and receive. Some attackers would also reply to messages from recipients assuring them that their emails are legitimate.
As these types of attacks are conducted by active participants who look like legitimate organization members, they can be quite convincing to users who receive them. Due to this, the best prevention tactic is to protect the accounts from being hacked in the first place.
Barracuda suggests that organization enable and require the use of two-factor authentication to protect the accounts from being hacked. They also suggest that organizations engage in security awareness training and utilize and invest in security software that can help detect these types of attacks.
Not only the enterprise
While successful enterprise attacks can ultimately bring more revenue, lateral phishing attack are also targeting personal email accounts.
For example, an attacker could hack a personal email account and then send emails out to all of their contacts stating that they are stuck overseas and have had their money stolen. They then ask the recipient to wire money to them so they can get back home.
This is not a theoretical attack, but one that I actually received when a family member’s email account was hacked.
Thankfully, I was familiar with this type of attack, but some could possibly fall for this and send money to the “stranded” victim.
When receiving any email asking for money, you should always call the person’s phone number directly and confirm that they are indeed in trouble.