This sneaky type of phishing is growing fast because hackers are seeing big paydays

Researchers warn about an increase in conversation hijacking emails, where hackers abuse accounts of people you trust to send you phishing links and malware.
Written by Danny Palmer, Senior Writer

There's been a steep rise in phishing attacks that hijack legitimate, ongoing conversations between users to steal passwords, steal money, deliver malware and more. 

Phishing attacks have been a cybersecurity issue for a long time, with criminals sending out waves of emails in an attempt to dupe victims into clicking on malicious links, downloading malware or handing over their passwords via fake login portals.  

They range from basic, generic attacks claiming that the victim has won a prize and they just need to click a link to retrieve it, to more targeted campaigns that send corporate emails designed to look legitimate for the intended target. For example, it's common for cyber criminals to send emails posing as the company's CEO to that company's employees in an attempt to trick the user into following orders from their 'boss'. 

SEE: Cybersecurity: Let's get tactical (ZDNet special report)  

But increasingly, cyber criminals are looking to exploit the actual email accounts of real users by hacking into accounts and hijacking ongoing conversations in order to send phishing emails.  

These conversation hijacking attacks have the potential to be more effective because the source of the email is someone the victim trusts and the message comes as part of an ongoing thread, so doesn't look as suspicious as an unexpected email coming out of the blue and asking for a file to be downloaded or a link to be clicked. 

According to cybersecurity researchers at Barracuda Networks, conversation hijacking attacks grew by almost 270% in 2021 alone. 

These attacks begin by hackers taking over the email account of a victim, which the attackers can then use to lure other victims into responding to messages. 

Once in control of an account, the attackers take the time to read their emails and monitor their ongoing communications to understand more of the day-to-day activities of the user, such as how they communicate with internal and external contacts, along with gaining information about business operations, payment procedures and potential deals in progress. 

Cyber criminals use this information to craft authentic-looking and convincing messages that appear in ongoing conversations, asking users to click a malicious link or download a malicious attachment – all in the correct context of the situation. 

Conversation hijacking attacks take more time and effort than regular phishing attacks – but for the cyber criminals, patience can be extremely rewarding. 

"Although there is a lot of upfront work, when conversation hijacking is done "right," it can have a huge payout for cyber criminals. The number is growing because it's very difficult to detect, success rates can be high and payouts are big," Mike Flouton, VP of product management at Barracuda Networks, told ZDNet.  

While conversation hijacking only makes up a small number of social engineering attacks – researchers say they account for 0.3% - the high success rate of the attacks means that it's likely that more cyber criminals will turn to them. 

"I expect that the number of these instances will continue to grow in the coming years," said Flouton. 

But like with other phishing attacks, it's possible to protect users from conversation hijacking attacks.

SEE: How Russia's invasion of Ukraine threatens the IT industry

Strong passwords should be applied to accounts, so hackers can't easily crack them. Users should also use multi-factor authentication to add an extra barrier to cyber criminals simply being able to log in to accounts with stolen passwords. And if a password is suspected of being stolen, it should be changed. 

For organisations, it's recommended that account-takeover protection is applied and that inboxes and networks are monitored to register suspicious activity, particularly if logs show that the user has seemingly accessed their account from a new location or a different time zone. Staff should also be trained to recognise and report suspected phishing attacks. 

Ultimately, the reason conversation hijacking attacks are being deployed is because they're successful. Therefore, organisations and their information security teams should have plans in place about how to deal with a successful attack.  
"Make sure you are prepared for a cyberattack – have a well thought out response plan in place that will help you recover quickly," said Flouton. 


Editorial standards