Story image

Lateral phishing: The latest in email account takeover

Attackers are adapting their methods and finding new ways to exploit compromised email accounts, as account takeover continues to be one of the fastest growing email security threats. 

According to new research from Barracuda, who teamed up with researchers at UC Berkley and UC San Diego, there is a new and growing type of account takeover attacks called lateral phishing. The study found 1 in 7 organisations experienced lateral phishing attacks over the past seven months. 

Of the organisations that experienced lateral phishing, more than 60% had multiple compromised accounts. Some had dozens of compromised accounts that sent lateral phishing attacks to additional employee accounts and users at other organisations. In total, researchers identified 154 hijacked accounts that collectively sent hundreds of lateral phishing emails to more than 100,000 unique recipients.

Attackers use hijacked accounts they've recently compromised to send phishing emails to an array of recipients, ranging from close contacts within the company to partners at other organisations.

According to Barracuda, one of the most striking aspects of this emerging attack is the scale of potential victims that the attackers target. In total, attackers attempted to use the hijacked accounts to send phishing emails to over 100,000 unique recipients. 

While roughly 40% of these recipients were fellow employees at the same company as the hijacked account, the remaining 60,000 recipients spanned a range of victims, from personal email addresses that might have been drawn from the hijacked account's contact book to business email addresses of employees at partner organisations. 

Due to the implicit trust in the legitimate accounts they've compromised, attackers often use compromised accounts to send lateral phishing emails to dozens, if not hundreds, of other organisations so they can spread the attack more broadly, Barracuda says. However, by targeting such a wide range of victims and external organisations, these attacks ultimately lead to increasingly large reputational harm for the initial victim organisation.

In an upcoming study, Barracuda says it will diver deeper and explore the range of content, strategies, success, and sophistication that these lateral phishing attacks exhibit. A full length paper on this research will also be presented at the Usenix Security Symposium, one of the top conferences for security research.

How to defend against lateral phishing
Barracuda says there are three critical precautions organisations can take to help protect themselves against lateral phishing attacks: security awareness training, advanced detection techniques, and two-factor authentication.

1. Security awareness training
Improving security awareness training and making sure users are educated about this new class of attacks will help make lateral phishing less successful. Unlike traditional phishing attacks, which often use a fake or forged email address to send the attack email, lateral phishing attacks are sent from a legitimate''but compromised''account. As a result, telling users to check the sender properties or email headers to identify a fake or spoofed sender, no longer applies. 

Users can often still carefully check the URL of any link before they click it to help them identify a lateral phishing attack. It is important that they check the actual destination of a link in any email, and not just the URL text that is displayed in the email.

2. Advanced detection techniques 
Lateral phishing represents a sophisticated evolution in the space of email-based attacks. Because these phishing emails now come from a legitimate email account, these attacks are becoming increasingly difficult for even trained and knowledgeable users to detect. Organisations should invest in advanced detection techniques and services that use artificial intelligence and machine learning to automatically identify phishing emails without relying on users to identify them on their own. 

3. Two-factor authentication
Finally, one of the most important things that organisations can do to help mitigate the risk of lateral phishing is to use strong two-factor authentication (2FA), such as a two-factor authentication app or a hardware-based token if available. While non-hardware based 2FA solutions remain susceptible to phishing, they can help limit and curtail an attacker''s access to compromised accounts.