Phishing attacks have been a cybersecurity issue for a long time, with criminals sending out vast waves of emails in an attempt to dupe victims into clicking on malicious links, downloading malware or handing over their passwords via fake login portals.
They range from basic, generic attacks claiming that the victim has won a prize and they just need to click a link to retrieve it, to more targeted campaigns which send corporate emails designed to look legitimate for the intended target. For example, it’s common for cyber criminals to send emails posing as company’s CEO to that company’s employees in an attempt to trick the user into following orders from their ‘boss’.
But increasingly, cyber criminals are looking to exploit the actual email accounts of real users by hacking into accounts and hijacking ongoing conversations in order to send phishing emails.
These conversation hijacking attacks have the potential to be more effective because the source of the email is someone the victim trusts and the message comes as part of an ongoing thread, so doesn’t look as suspicious as an unexpected email coming out of the blue and asking for a file to be downloaded or a link to be clicked.
According to cybersecurity researchers at Barracuda Networks, conversation hijacking attacks grew by almost 270% in 2021 alone.
These attacks begin by hackers taking over the email account of a victim which the attackers can then use to lure other victims into responding to messages.
SEE: Cybersecurity: Let’s get tactical (ZDNet special report)
Once in control of an account, the attackers take the time to read their emails and monitor their ongoing communications to understand more the day-to-day activities of the user, how they communicate with internal and external contacts, along with gaining information about business operations, payment procedures and potential deals in progress.
Cyber criminals use this information to craft authentic-looking and convincing messages which appear in ongoing conversations, asking users to click a malicious link or download a malicious attachment – all in the correct context of the situation.
Conversation hijacking attacks take more time and effort than regular phishing attacks – but for the cyber criminals, patience can be extremely rewarding.
“Although there is a lot of upfront work, when conversation hijacking is done “right,” it can have a huge payout for cyber criminals. The number is growing because it’s very difficult to detect, success rates can be high and payouts are big,” Mike Flouton, VP Product Management at Barracuda Networks told ZDNet.
While conversation hijacking only makes up a small number of social engineering attacks – researchers say they account for 0.3% – the high success rate of the attacks means that it’s likely that more cyber criminals will turn to them.
“I expect that the number of these instances will continue to grow in the coming years,” said Flouton.
But like with other phishing attacks, it’s possible to protect users from conversation hijacking attacks.
Strong passwords should be applied to accounts so hackers can’t easily crack them. Users should also use multi-factor authentication to add an extra barrier to cyber criminals simply being able to login to accounts with stolen passwords. And if a password is suspected of being stolen, it should be changed.
For organisations, it’s recommended that account-takeover protection is applied and that inboxes and networks are monitored to register suspicious activity, particularly if logs show that the user has seemingly accessed their account from a new location or a different time zone. Staff should also be trained to recognise and report suspected phishing attacks.
Ultimately, the reason conversation hijacking attacks are being deployed is because they’re successful. Therefore, organisations and their information security teams should have plans in place about how to deal with a successful attack.
“Make sure you are prepared for a cyber attack – have a well thought out response plan in place that will help you recover quickly,” said Flouton.
MORE ON CYBERSECURITY