itb-au logo
Story image

Lateral phishing: The latest in email account takeover

Attackers are adapting their methods and finding new ways to exploit compromised email accounts, as account takeover continues to be one of the fastest growing email security threats. 

According to new research from Barracuda, who teamed up with researchers at UC Berkley and UC San Diego, there is a new and growing type of account takeover attacks called lateral phishing. The study found 1 in 7 organisations experienced lateral phishing attacks over the past seven months. 

Of the organisations that experienced lateral phishing, more than 60% had multiple compromised accounts. Some had dozens of compromised accounts that sent lateral phishing attacks to additional employee accounts and users at other organisations. In total, researchers identified 154 hijacked accounts that collectively sent hundreds of lateral phishing emails to more than 100,000 unique recipients.

Attackers use hijacked accounts they've recently compromised to send phishing emails to an array of recipients, ranging from close contacts within the company to partners at other organisations.

According to Barracuda, one of the most striking aspects of this emerging attack is the scale of potential victims that the attackers target. In total, attackers attempted to use the hijacked accounts to send phishing emails to over 100,000 unique recipients. 

While roughly 40% of these recipients were fellow employees at the same company as the hijacked account, the remaining 60,000 recipients spanned a range of victims, from personal email addresses that might have been drawn from the hijacked account's contact book to business email addresses of employees at partner organisations. 

Due to the implicit trust in the legitimate accounts they've compromised, attackers often use compromised accounts to send lateral phishing emails to dozens, if not hundreds, of other organisations so they can spread the attack more broadly, Barracuda says. However, by targeting such a wide range of victims and external organisations, these attacks ultimately lead to increasingly large reputational harm for the initial victim organisation.

In an upcoming study, Barracuda says it will diver deeper and explore the range of content, strategies, success, and sophistication that these lateral phishing attacks exhibit. A full length paper on this research will also be presented at the Usenix Security Symposium, one of the top conferences for security research.

How to defend against lateral phishing
Barracuda says there are three critical precautions organisations can take to help protect themselves against lateral phishing attacks: security awareness training, advanced detection techniques, and two-factor authentication.

1. Security awareness training
Improving security awareness training and making sure users are educated about this new class of attacks will help make lateral phishing less successful. Unlike traditional phishing attacks, which often use a fake or forged email address to send the attack email, lateral phishing attacks are sent from a legitimate''but compromised''account. As a result, telling users to check the sender properties or email headers to identify a fake or spoofed sender, no longer applies. 

Users can often still carefully check the URL of any link before they click it to help them identify a lateral phishing attack. It is important that they check the actual destination of a link in any email, and not just the URL text that is displayed in the email.

2. Advanced detection techniques 
Lateral phishing represents a sophisticated evolution in the space of email-based attacks. Because these phishing emails now come from a legitimate email account, these attacks are becoming increasingly difficult for even trained and knowledgeable users to detect. Organisations should invest in advanced detection techniques and services that use artificial intelligence and machine learning to automatically identify phishing emails without relying on users to identify them on their own. 

3. Two-factor authentication
Finally, one of the most important things that organisations can do to help mitigate the risk of lateral phishing is to use strong two-factor authentication (2FA), such as a two-factor authentication app or a hardware-based token if available. While non-hardware based 2FA solutions remain susceptible to phishing, they can help limit and curtail an attacker''s access to compromised accounts.

Story image
Why 2021 will be the year of catch-up
The transition to remote work and new online contactless business models is not temporary and is affecting the future strategy on how organisations invest in cybersecurity, writes Radware vice president and managing director for EMEA and LATAM, Rob Hartley.More
Story image
AR and VR presents huge potential for construction industry, but businesses slow to adopt
According to GlobalData, the construction industry is slowly shifting from years of the wait-and-watch stance to adopting digital technologies to improve the overall project lifecycle from conceptual design to construction.More
Story image
The cybersecurity risks that come with re-onshoring Australian manufacturing
As technology such as IoT, robotic process automation (RPA) and artificial intelligence (AI) reshapes the manufacturing landscape, organisations are simultaneously put at an increased risk of a cyberattack.More
Story image
Global study to discover if wearables data can predict COVID-19
Can wearable technologies such as smartwatches and activity trackers help to early signs of COVID-19? That’s exactly what a global research project aims to find out.More
Story image
8x8 named as Challenger in Gartner Magic Quadrant for Contact Centre as a Service
According to 8x8 chief executive officer Vik Verma, the recognition also validates the company’s single-platform approach to contact centre innovation.More
Story image
Pure Storage to offer validation for integrated partner solutions
Pure Validated Designs from Commvault and Vertica deliver blueprints for data protection and analytics on Pure architecture with more to come.More