Barracuda research identifies new ways cyber criminals are using spear-phishing attacks

The new report shows that small businesses are three times more likely to be targeted than larger organisations and examined current trends in spear-phishing, the new tricks attackers are using to sneak past victims’ defences, and the number of accounts that are being compromised successfully. It also examined the best practices and technology that organisations should be using to defend against these types of attacks.

Between January 2021 and December 2021, Barracuda researchers analysed millions of emails across thousands of businesses. Here are some of the key takeaways from their analysis:

• An average employee of a small business with less than 100 employees will experience 350 per cent more social engineering attacks than an employee of a larger enterprise. Fifty-one per cent of social engineering attacks are phishing.
• Conversation hijacking, also known as vendor impersonation, is a type of targeted email attack in which cyber criminals insert themselves into existing business conversations or initiate new conversations based on information they’ve gathered from compromised email accounts or other sources. Conversation hijacking grew almost 270 per cent in 2021.
• Microsoft is one of the most impersonated brands. Around 57 per cent of phishing attacks impersonate one of Microsoft’s brands such as Microsoft 365, OneDrive, SharePoint or others.

Account takeover is one of the fastest growing threats

In 2021, roughly one in five organisations (20 per cent) had at least one of their Microsoft 365 accounts compromised. This means that in 2021, hackers managed to compromise around 500,000 Microsoft 365 accounts around the globe. Without the right level of protection, account takeover can go undetected and cause real damage to the organisation, its business partners and its customers.

WeTransfer provides online file transfer services, allowing users to share files of large sizes that they may not be sent directly through email. The brand was used in 17 per cent of phishing attacks. The company is well aware of their brand being used in these types of attacks, and they warn their users to be vigilant. Organisations should include WeTransfer scams as part of their security awareness training. Other brands that made it into the top 10 included DocSign, Google, DHL, USPS, and LinkedIn. Compromising any of these accounts will provide hackers with a wealth of personal information that they can exploit in further attacks.

Hackers target high-value accounts for takeover

Accounts of CEOs and CFOs are almost twice as likely to be taken over compared to average employees. Once they have access, cyber criminals use these high-value accounts to gather intelligence or launch attacks within an organisation. Executive assistants are also popular targets as they often have access to executive accounts and calendars and usually can send messages out on behalf of executive teams.

Barracuda researchers also found that one in three fraudulent logins into compromised accounts came from Nigeria. Once they’re inside an account, hackers create forwarding rules or scripts to hide and delete any email that they send from the compromised inbox. Suspicious inbox rules are often one of the signs of an account takeover. A full 36 per cent of organisations that had an account compromised had hackers set up malicious inbox rules to hide their activity. In fact, hackers on average created two rules for each compromised account. The research of almost 12,000 compromised accounts showed that they were used to send over three million malicious messages and spam in 2021.

VIEW ALL

According to Don MacLennan, SVP, engineering and product management, email protection at Barracuda, small businesses often have fewer resources and lack security expertise, which leaves them more vulnerable to spear-phishing attacks, and cyber criminals are taking advantage.

“That's why it’s important for businesses of all sizes not to overlook investing in security, both technology and user education.

“The damage caused by a breach, or a compromised account can be even more costly,” MacLennan said.

Best practices to protect against spear-phishing attacks

Organisations today face increasing threats from targeted phishing attacks. To protect businesses and users, enterprises need to invest in technology to block attacks, and in training to help people act as a last line of defence.

Key solutions include:

• Technology. Take advantage of artificial intelligence. Scammers are adapting email tactics to bypass gateways and spam filters, so it’s critical to have a solution in place that detects and protects against spear-phishing attacks, including business email compromise, impersonation and extortion attacks. Deploy purpose-built technology that doesn’t solely rely on looking for malicious links or attachments. Using machine learning to analyse normal communication patterns within your organisation allows the solution to spot anomalies that may indicate an attack.
• Deploy account-takeover protection. Many spear-phishing attacks originate from compromised accounts; be sure scammers aren’t using your organisation as a base camp to launch these attacks. Deploy technology that uses artificial intelligence to recognise when accounts have been compromised and that remediates in real time by alerting users and removing malicious emails sent from compromised accounts.
• Monitor inbox rules and suspicious logins. Use technology to identify suspicious activity, including logins from unusual locations and IP addresses, a potential sign of a compromised account. Be sure to also monitor email accounts for malicious inbox rules, as these are often used as part of account takeover. Criminals log into the account, create forwarding rules and hide or delete any email they send from the account to try to hide their tracks.
  Use multi-factor authentication. Multi-factor authentication, also called MFA, two-factor authentication and two-step verification, provides an additional layer of security above and beyond username and password, such as an authentication code, thumb print or retinal scan.
• Implement DMARC authentication and reporting. Domain spoofing is one of the most common techniques used in impersonation attacks. DMARC authentication and enforcement can help stop domain spoofing and brand hijacking, while DMARC reporting and analysis helps organisations accurately set enforcement.
  Automate incident response. An automated incident response solution will help you quickly clean up any threats found in users’ inboxes, which will make remediation more efficient for all messages going forward.
• Train staffers to recognise and report attacks. Educate users about spear-phishing attacks by making it a part of security- awareness training. Ensure staffers can recognise these attacks, understand their fraudulent nature, and know how to report these. Use phishing simulation for emails, voicemail and SMS to train users to identify cyber attacks, test the effectiveness of your training and evaluate the users most vulnerable to attacks.
• Review internal policies. Help employees avoid making costly mistakes by creating guidelines that put procedures in place to confirm requests that come in by email, including making wire transfers and buying gift cards.
• Maximise data-loss prevention. Use the right combination of technologies and business policies to ensure emails with confidential, personally identifiable and other sensitive information are blocked and never leave the company.

[Related: Cyber criminals on Darknet use crypto funds raised for Ukraine for fraud]