Beware of this sneaky phishing technique now being used in more attacks

Security company researchers warn of a large increase in conversation-hijacking attacks. Here's what they are and how to spot them.
Written by Danny Palmer, Senior Writer

There's been a large rise in cyber criminals using a particular phishing technique to trick workers into unwittingly installing malware, transferring money or handing over their login credentials.

In conversation-hijacking attacks, hackers infiltrate real business email threads by exploiting previously compromised credentials –perhaps purchased on dark web forums, stolen or accessed via brute force attacks – before inserting themselves into the conversation in the guise of one of the group.

"Once they gain access to the account, attackers will spend time reading through conversations, researching their victims and looking for any deals or valuable conversations they can insert themselves," Don Maclennan, SVP for engineering and product at Barracuda Networks told ZDNet.

SEE:  A winning strategy for cybersecurity (ZDNet special report) | Download the report as a PDF (TechRepublic) 

The idea is that by using a real identity and by mimicking the language that person uses, the phishing attack will be viewed as coming from a trusted colleague and is thus much more likely to be successful.

Cyber criminals are leaning hard on this attack technique as a means of compromising businesses, according to new research from Barracuda Networks. Analysis of 500,000 emails showed that conversation hijacking rose by over 400% between July and November last year.

While conversation-hijacking attacks are still relatively rare, the personal nature means they're difficult to detect, are effective and potentially very costly to organisations that fall victim to campaigns.

For cyber criminals conducting conversation-hijacking attacks, the effort involved is much greater than simply spamming out phishing emails in the hope that a target clicks, but a successful attack can potentially be highly rewarding.

In most cases, the attackers won't directly use the compromised account to send the malicious phishing message – because the user could notice that their outbox contains an email that they didn't send.

However, what conversation hijackers do instead is attempt to impersonate domains, using techniques like typo-squatting – when a URL is the same as the target company, save for one or two slightly altered changes.

But by using a real name and a real email thread, the attackers are hoping that the intended target won't notice the domain is slightly different and that they'll follow the request that's coming from their supposed contact, perhaps a colleague, customer, partner or vendor.

In some cases, it's been known for conversation hijackers to communicate with their intended victims for weeks in order to ensure trust is built up.

At some point, the attacker will make their move and try to trick the victim into transferring money, sensitive information or potentially installing malware.

"These attacks are highly personalized, including the content, and therefore a lot more effective. They have the potential of a very large payout, especially when organizations are preparing to make a large payment, purchase or an acquisition," said Olesia Klevchuk, senior product manager for email security at Barracuda Networks. 

"There is a great chance that someone will fall for a conversation-hijacking attack over a more traditional type of phishing," she added.

SEE: Windows 7 end of life: Security risks and what you should do next

However, while conversation-hijacking attacks are more sophisticated than regular phishing attacks, they're not impossible to spot. Users should pay attention to the email address a message is coming from and be suspicious if the domain is slightly different compared to what they're used to seeing.

Users should also be wary of sudden demands for payments or transfers and, if there's doubt about the origin of the request, they should contact the person requesting it, either in person, by phone or by starting a new email to their known address.

Organisations can also protect their employees from these attacks by implementing two-factor authentication, because by adding this extra layer, even if login credentials are stolen, attackers can't use them to conduct further attacks.


Editorial standards