Barracuda finds ATO widespread, used for phishing campaigns

Print Friendly, PDF & Email

Threat Spotlight: Barracuda study finds account takeover incidents widespread, most commonly used for phishing campaigns

This Threat Spotlight was authored by Asaf Cidon with research support from Grant Ho of the Barracuda Sentinel team.

Account takeover incidents, where attackers steal the credentials of employees and use them to send emails from the user's real account, are increasing in frequency and magnitude.  In this Threat Spotlight, we take a closer look at the motives and demographics behind these attacks.

In this Threat Spotlight, we examine Account Takeover attacks, where attackers attempt to steal user credentials in order to launch their own attacks from a legitimate but compromised business account. Click To Tweet

Highlighted Threat: 

Account Takeover – attackers attempt to steal user credentials in order to launch attacks from an internal account.

The Details:

Account takeover (ATO) attacks have multiple objectives.  Some attackers try to use the hacked email account to launch phishing campaigns that will go undetected, some attackers steal credentials of other employees and sell them in the black market, and others use the account to conduct reconnaissance to launch personalized attacks. The most sophisticated attackers steal the credentials of a key employee (e.g., CEO or CFO), and use them to launch a Business Email Compromise attack from the real employee's email address.

To better understand the extent of account takeover, Grant Ho, along with the Barracuda Sentinel team, ran a study on 50 randomly selected organizations. These organizations span different sectors, including private companies, public organizations, and educational institutions. These organizations reported account takeover incidents to us over a three month period, from the beginning of April until the end of June 2018. Note that this study may underestimate the number of real account takeover incidents, since some incidents may have taken place without the organization's knowledge.

Month April, '18 May, '18 June, '18 Total
Number of organizations that experienced account takeover 8 7 4 19
Number of spam incidents 3 5 2 10
Number of phishing incidents 13 30 4 47
Number of attachment incidents 1 2 0 3
Total number of account takeover incidents 17 37 6 60

The above table includes a summary of the incidents reported by these organizations. An account takeover incident is defined as an employee's email being used by an attacker to email other people, either internal employees or external parties.

Overall, in each month 4-8 organizations reported at least one account takeover incident, and the total number of incidents reported was 60. On average, when a company got compromised, the compromise resulted in at least 3 separate account takeover incidents, where either the same or different employees accounts were used for nefarious purposes.

We also analyzed the type of incidents. Out of the 60 incidents, 78% resulted in a phishing email. In these phishing emails, the goal of the attacker was typically to infect additional internal and external accounts. The email usually impersonates the employee and asks the recipient to click on a link. The attackers sometimes made the email appear as if the employee is sending an invitation to a link from popular web services, such as OneDrive or DocuSign.

Another 17% of incidents were used as platforms for sending spam campaigns. The reason attackers love using compromised accounts as vehicles for launching spam is that the accounts often have very high reputations: they are coming from reputable domains, from the correct IP, and from real people that have a legitimate email history. Therefore, they are much likely to get blocked by email security systems that rely on domain, sender or IP reputation.

Finally, 5% of incidents involved in the attacker asking the recipient to download an attachment. These incidents all involved internal email traffic. This attack is effective because most email security systems do not scan internal traffic for threats. Therefore, attackers can send malware with relative ease internally, and the recipients will often open the attachments, which will cause their endpoints to get infected.

We also analyzed the roles of the employees that got compromised. Over the 3 months, 50 different email accounts got compromised (some accounts were compromised multiple times). We include the results below.

Number of employees compromised 60
Percentage that were executives 6%
Percentage that were in sensitive departments 22%

Only 6% of the compromised employees were executives. In fact, the vast majority were in either entry-level or mid-management roles. This demonstrates that account takeover is a widespread phenomenon and is not just targeting high-level employees. In fact, often lower-level employees are better targets, because they have less cybersecurity training. In addition, given the fact that many incidents are used to phish other employees or external parties, the attackers are looking for any way they can get into the network, even if it's through a “lower-level” email account. Once they are through, they can exploit the reputation of the company and its brand to their advantage.

Although account takeover attacks are widespread, attackers continue to target the specific departments that have been the most lucrative in terms of information and financial gain.Click To Tweet

22% of the incidents occurred to employees in sensitive departments. Sensitive departments include HR, IT, finance and legal. The aggregate number of employees in these departments within the organizations we study is much lower than 22%. Therefore, this shows that while these incidents are widespread, there are still specific departments that attackers have a strong preference to go after because they are the most lucrative targets for information and financial theft.

Barracuda Resources:

Real-Time Spear Phishing and Cyber Fraud Defense — Barracuda Sentinel is the only solution in the market that can automatically prevent email account takeover.  It combines three powerful layers: an artificial intelligence engine that stops spear phishing attacks in real time, including emails that originate from within the company; domain fraud visibility using DMARC authentication to guard against domain spoofing and brand hijacking; and fraud simulation training for high-risk individuals.

User Training and Awareness — Employees should be regularly trained and tested to increase their security awareness of various targeted attacks. Simulated attack training is by far the most effective form of training.  Barracuda PhishLine provides comprehensive, SCORM-compliant user training and testing as well as phishing simulation for emails, voicemail, and SMS along with other helpful tools to train users to identify cyberattacks.

Read all Barracuda Threat Spotlight articles here.


Scroll to top