Getty Images

Evasive Domain-Impersonation Phishing Attacks Increase by 400%

Barracuda says that while the number of domain-impersonation attempts are far fewer than other phishing attacks, the targeted, sophisticated nature makes them costly and tough to detect.

Barracuda researchers detected a 400 percent increase in domain-impersonation attacks aimed at conversation hijacking since July. While the method is used far less frequently than other phishing attack methods, its sophisticated, targeted nature makes the threat much more effective.

The research team analyzed more than 500,000 monthly email attacks from July 2019 to November 2019. In July, they detected just 500 of this type, compared with more than 2,000 attempts in November.

In an effort to steal sensitive personal information or money or change payment details, hackers leverage conversation hijacking: where an attacker sends emails within an actual conversation from the victim’s email account. Some malware variants, like Emotet, can compose attack methods from infected accounts.

Barracuda explained that the hackers will also initiate new conversations based on intel they’ve collected from compromised accounts or other sources.

“Conversation hijacking is typically, but not always, part of an account-takeover attack,” researchers wrote. “Attackers spend time reading through emails and monitoring the compromised account to understand business operations and learn about deals in progress, payment procedures, and other details.”

“Cybercriminals rarely use the compromised accounts for conversation hijacking. Instead, attackers use email-domain impersonation,” they added. “They leverage information from the compromised accounts, including internal and external conversations between employees, partners, and customers, to craft convincing messages, send them from impersonated domains, and trick victims into wiring money or updating payment information.”

To accomplish this, hackers will use domain impersonation, including typo squatting techniques where one letter of a legitimate URL is replaced with a similar letter or adding a letter to the URL. The attacks are highly personal in nature, as researchers explained it’s easy to miss the subtle changes in the URL.

It’s a timely process with the attackers planning the conversation hijacking before the launching an attack, through research, on the target organization or account takeover.

“Attackers don’t always use the compromised email accounts to perform the impersonation attacks, though, because the owner of the compromised account is more likely to notice the fraudulent communication,” researchers explained.

“Accounts don’t usually stay compromised for a long period of time, but conversation hijacking can involve weeks of continuous communication between the attacker and victim,” they added. “As a result, when using domain impersonation, attackers take the conversation outside the organization.”

This means hackers can continue with the attack, even if the breached organization secures and remediates the accounts they’ve previously compromised.

Prevention Techniques for the Workforce

To prevent falling victim, Barracuda made several recommendations centered around employee training, account-takeover protection tools, access control monitoring, AI, and strengthening internal security policies.

While many healthcare organizations provide employees with some form of security training, conversation hijacking and domain impersonation should be included in awareness training to ensure they can identify attacks, understand the fraudulent nature, and how to report it to the appropriate people.

Phishing simulation should also be used to train employees around how to identify cyberattacks, with researchers stressing that those users should be tested to evaluate the effectiveness of the training and determine the users most vulnerable to attacks.

Lastly, organizations need to develop guidelines and procedures that mandate all email requests for wire transfers or payment changes be confirmed first, by requiring in-person or telephone confirmation, or approval from more than one person.

Technology Recommendations

Multi-factor authentication adds another layer of security for email systems. An earlier Microsoft report shows MFA blocks 99.9 percent of automated attacks. There is also technology available that recognizes when accounts are compromised and remediates the breach in real-time through alerts and by removing malicious emails.

Organizations can also deploy tools that identify suspicious activity, such as unusual logins.

“Be sure to also monitor email accounts for malicious inbox rules, as they are often used as part of account takeover,” researchers wrote. “Criminals log into the compromised account, create forwarding rules, and hide or delete any email they send from the account, to try to cover their tracks.”

“Keep an eye on new domain registrations that could potentially be used for impersonation through typo-squatting techniques,” they added. “Many organizations choose to purchase domains that are closely related to their own to avoid the potential fraudulent use by cybercriminals.”

Given the sophistication of the attack method, machine learning, AI or other purpose-built technology that doesn’t rely on simply looking for malicious attachments or links are most effective. The tools can analyze normal communication and detect anomalies that can indicate account compromise.

Dig Deeper on Cybersecurity strategies