In recent months, Barracuda Networks researchers have seen a sharp rise in domain impersonation attacks used to facilitate conversation hijacking. An analysis of circa 500,000 monthly e-mail attacks shows a 400% increase in domain impersonation attacks used for conversation hijacking. In July 2019, there were about 500 of this type of domain impersonation attack in the e-mails analysed, with that number growing to more than 2,000 in November.
While the volume of conversation hijacking in domain impersonation attacks is extremely low compared to other types of phishing attacks, these sophisticated attacks are very personalised, in turn making them effective, hard to detect and costly.
When it comes to conversation hijacking, cyber criminals insert themselves into existing business conversations or initiate new conversations based on information they’ve gathered from compromised e-mail accounts or other sources. Conversation hijacking is typically, but not always, part of an account takeover attack. Attackers spend time reading through e-mails and monitoring the compromised account to understand business operations and learn about deals in progress, payment procedures and other details.
Cyber criminals rarely use the compromised accounts for conversation hijacking. Instead, attackers use e-mail domain impersonation. They leverage information from the compromised accounts, including internal and external conversations between employees, partners and customers to craft convincing messages, send them from impersonated domains and trick victims into wiring money or updating payment information.
Planning and launching attacks
Cyber criminals spend time planning conversation hijacking before launching attacks. They use account takeover or research the target organisation to understand business transactions and prepare for attacks.
To execute conversation hijacking attacks, cyber criminals use domain impersonation, including typo-squatting techniques, such as replacing one letter in a legitimate URL with a similar letter, or adding an unnoticeable letter to the legitimate URL. In preparation for the attack, cyber criminals will register or buy the impersonating domain.
Domain impersonation is a very high impact attack. It can be easy to miss the subtle differences between the legitimate URL and the impersonated URL. For example, an attacker trying to impersonate barracudanetworks.com would use a very similar URL: barracudanetworcom, barracacom, barracudanetecom or barrracudanetecom
Sometimes, an attacker changes the Top Level Domain, using .net or .co instead of .com to fool victims.
Cyber criminals invest a lot of time, effort and money to register an impersonating domain and hijack a conversation. Attackers don’t always use the compromised e-mail accounts to perform the impersonation attacks, though, because the owner of the compromised account is more likely to notice the fraudulent communication.
In addition, accounts don’t usually stay compromised for a long period of time, but conversation hijacking can involve weeks of continuous communication between the attacker and the victim. As a result, when using domain impersonation, attackers take the conversation outside the organisation. This allows them to proceed with the attacks even if the accounts that were previously taken over have been secured and remediated.
Ultimately, the goal of these attacks is to trick victims into wiring money, making a payment of some kind or change payment details. Domain impersonation and conversation hijacking require an investment of both time and money from the attacker. From the attacker’s perspective, however, the cost is worth it because these personalised attacks are often more successful at tricking victims than other less sophisticated phishing attacks.
Protecting against conversation hijacking
Barracuda Networks advises organisations to use a variety of cyber security technology and techniques to protect your business from conversation hijacking:
Train employees to recognise and report attacks
Educate users about e-mail attacks, including conversation hijacking and domain impersonation, as part of security awareness training. Ensure staff members can recognise attacks, understand their fraudulent nature and know how to report them. Use phishing simulation to train users to identify cyber attacks, test the effectiveness of your training and evaluate those users most vulnerable to attacks.
Deploy account takeover protection
Many conversation hijacking attacks will start with account takeover, so be sure that scammers are not using your organisation to launch them. Use multi-factor authentication to provide an additional layer of security above and beyond a username and password. Deploy technology that recognises when accounts have been compromised and that remediates in real-time by alerting users and removing malicious e-mails sent from compromised accounts.
Monitor inbox rules, account logins and domain registrations
Use technology to identify suspicious activity, including logins from unusual locations and IP addresses, which is a potential sign of a compromised account. Be sure to also monitor e-mail accounts for malicious inbox rules, as they’re often used as part of account takeover. Criminals log into the compromised account, create forwarding rules and hide or delete any e-mail they send from the account in order to try to cover up their tracks. Keep an eye on new domain registrations that could potentially be used for impersonation through typo-squatting techniques. Many organisations choose to purchase domains that are closely related to their own to avoid the potential fraudulent use by cyber criminals.
Leverage Artificial Intelligence
Scammers are adapting e-mail tactics to bypass gateways and spam filters, so it’s critical to have a solution in place that uses Artificial Intelligence to detect and block attacks, including account takeover and domain impersonation. Deploy purpose-built technology that doesn’t rely solely on looking for malicious links or attachments. Using machine learning to analyse normal communication patterns within your organisation allows the solution to spot anomalies that may indicate an attack.
Strengthen internal policies
Help employees to avoid making costly mistakes by creating guidelines and putting procedures in place to confirm all e-mail requests for wire transfers and payment changes. Require in-person or telephone confirmation and/or approval from multiple people for all financial transactions.