An account takeover is a scenario where an attacker manages to obtain a credential of an employee’s email system. They can obtain that credential in various ways: they may have phished that employee, or just have bought that credential from somewhere (the dark net), or maybe that employee used the same passwords in multiple different systems and one of the systems was leaked.
Worryingly, this type of threat has been increasing across customer bases. Once hackers obtain the email credential, they can login remotely as that employee and cause carnage. They could send emails on behalf of that employee or get people to click on phishing links — weakening the stability of any company.
>Read more on Who is responsible for cyber security in the enterprise
“Sometimes the attackers actually just use that email to do reconnaissance against the organisation, porting out all the emails of that employee and using that knowledge to launch attacks,” says Asaf Cidon, Vice President, Email Security at Barracuda Networks.
“It’s probably the attack that if you poll a random selection of customers, that’s what they’re most worried about on the email side.”
“This is the attack that is really damaging because once the attacker gets in the door of the email system, they basically have access to all the information of the company and they can impersonate identities of actual employees and existing email security systems are quite bad at catching these types of attacks,” he says.
The rise of account takeovers
Why is this type of attack on the rise?
These types of attacks could have existed for a long time, and they’re not that sophisticated. All an attacker needs to do is login on someone else’s email account — “It’s not rocket science,” says Cidon.
“We theorise that there’s a few reasons why these attacks are now becoming more popular,” according to Cidon. “I think, first, these attacks are easier to execute when the organisation’s email system is on the cloud, and a lot of organisations have moved to Office 365 [in the cloud].”
>Read more on the The main challenges of cyber security
“Another one, which again is speculative, is that we have been seeing that ransomware is dropping as a concern for a lot of companies, because the defences are pretty good against, it. Ransomware is something they’re less worried about now than they used to be a year ago. So, we suspect that ransomware is probably [becoming a less] economically viable form of cyber criminality, and so attackers have been shifting their resources to other forms of attacks, like account takeover.”
This form of attack, along with business email compromise or phishing are more effective for attackers, in terms of extracting money or information that they can sell.
Artificial intelligence needed for email security best practice?
There is a general assumption that cyber attackers will target more sensitive industries, such as finance or healthcare; or, that the people being targeted would be in sensitive positions, such as in HR or finance.
But, according Cidon and a Barracuda survey on the subject, these assumptions are wrong. These attacks affect customers broadly, and basically every single industry is impacted, including; private industry, manufacturing, healthcare, finance, professional services, construction, public companies, educational institutions (schools and universities get attacked frequently), local government and larger government entities.
“We were just talking to a customer last week who has a company with something like 50 employees, and they were getting hit with this attack. So there’s no specific pattern,” reveals Cidon.
“I don’t think any companies can rest assured that they won’t get attacked, just because of the sector. And company size also doesn’t seem to be a factor. Larger companies will see more attacks, statistically, because they have more employees; but small companies are also getting attacked quite frequently.”
Interestingly, good domain authority is like honey to hackers. Even if it is not a large company, a good domain authority ensures that hackers — once the credentials are stolen — can launch subsequent attacks on other companies an organisation works with or just in general companies in the Internet.
The reason? A phishing email sent from a compromised account (of a company or person with good domain authority) is much more likely to not to get blocked when it’s being sent. It will have a higher chance of success, as the major email systems will give it a high (safety) score.
In the UK, specifically, “we’ve seen large UK-based universities that are being used almost as phishing or spam launch pads where the attackers will compromise a large number of accounts in the university and then use those accounts to try to phish; oftentimes entities outside the UK or in the UK, with large private companies or multinationals,” says Cidon.
“The reason these attacks are effective is because those universities have a very high reputation in terms of their domain. So the email recipients are usually going to classify them as high reputation and let the email through. So we’ve seen a lot of activity out of the UK around account takeover.”
Today, attackers are trying to get more and more credentials in order to sell them. And, any company or institution can be a vehicle for that — hence the rise in account takeovers.
Preventing account takeover
Following some cyber security best practices around securing credentials is important in preventing account takeover. This includes setting up multi-factor authentication, using a password manager and ideally not repeating passwords across different sites and services. These are all crucial.
Security awareness training is another mechanism that should be part of cyber security best practice. These training programmes should simulate phishing attacks against employees, simulate incident response and what happens if an account does get compromised.
However, even with two factor authentication, a strong password and good cyber security training, attackers can always compromise an endpoint, for example, and use it to log into an email system. Even with fully secure passwords, an employee is never totally secure.
To combat this, Barracuda have “launched a solution specifically for account takeover,” says Cidon. “The Barracuda Sentinel product uses artificial intelligence to detect when there’s anomalous behaviour within employee accounts. So, for example, if an employee suddenly blasts a bunch of people that they have never communicated with in the past, that would be suspicious behaviour. Our system would detect that and then also take action. It would basically delete those emails and make sure that other employees don’t get infected.”
“We have some three thousand people actively on our network, sending emails every single day at Spring Arbor, which places a very large target on our users and networks,” explains Chris Blackstone, CIO at Spring Arbor University.
“Today’s cybercriminals are increasingly sophisticated, and we quickly found that typical email security solutions were not effective against these highly targeted attacks. We looked at several solutions on the market and selected Barracuda Sentinel. Barracuda Sentinel utilises cutting-edge artificial intelligence to stop these attacks in real time, and does so in a way that does not impact our network performance or users, which is critical with a large and diverse user base.”
“We take pride in knowing that Spring Arbor offers an environment where our students can take advantage of the latest and greatest tools and technologies to further their education. The same holds true in today’s evolving threat landscape: you have to stay on top of the latest technologies in order to protect your people and your assets. Since implementing Sentinel, we’ve been able to stop several of these targeted attacks in real time.”