The email you just received looks like it's from your boss, but is it? Account Takeover Attacks (ATO) are giving cybercriminals the means to create believable phishing campaigns that are targeting businesses.
Black hats have stolen credentials from C-level executives and other employees with access to sensitive data, and are selling that data on the dark web. These credentials are then used to start Business Email Compromise (BEC) schemes. The emails sent during the BEC scheme will come from the victim’s real email address, allowing cybercriminals to masquerade as your peers and boss. According to a report by the FBI, in 2017 BEC attacks, like these, resulted in a total loss of $675 million for U.S. firms.
In late September, Baracuda released a study that followed the recent upsurge of ATO attacks. This study followed 50 random accounts over a three-month period between April and June. Throughout this period, researchers found 60 different ATO attacks, and four to eight organizations reported at least one incident each month. Asaf Cidon, Vice President of Email Security at Barracuda, stated that ATO attacks are a new form of phishing. The techniques of the attacks are the same as before. The difference is the use of real credentials.
The recent development of ATO attacks is credited to a few factors. The first is the increasing amount of organizations that have moved their email accounts to the cloud. This establishes a precedent of email accounts being accessed remotely, making it easier for impostors to log in undetected. Another factor is the growth in the stolen credentials market in the deep web. The final factor is the advancement of modern cybersecurity solutions. Current gen cybersecurity solutions have gotten pretty good at detecting malware attacks and stopping them before they can affect a system. Because of these advancements, attackers are scrambling to find new ways to monetize their attacks and ATO attacks are a simple and effective way for hackers to make a profit.
ATO attacks are able to be monetized through a variety of means. 78% of the recorded attacks resulted in a phishing email campaign with the intent to spread malware like ransomware and cryptojacking, as well as gather sellable data. 17% of the attacks resulted in spam campaigns, which would use an organization’s reputable domain and IP to bypass junk filters. Surprisingly, only 5% of the attacks targeted the organization’s internal email traffic. Most email security solutions won’t scan internal mail for threats so these internal email traffic attacks would attach malicious files to emails that are then sent internally. Unsurprisingly, attachments sent internally are also more likely to be clicked, making ATO attacks an easy way to infect a network with malware.
So, how can you defend yourself and your network? There’s one simple answer. Invest in creating a culture of cybersecurity educated employees. Through education, users can be trained to look out for inconsistencies in email messages and to refrain from clicking on malicious links. It’s also wise to invest in an email security solution that can detect account takeover attacks and highly targeted phishing campaigns. Don’t let these costumed menaces trick you. Make sure you look behind the mask before clicking that link.