In recent months we have seen a significant rise in email account takeover attacks taking place in the UK.
Email account takeover may not be an attack that is regularly featured in media headlines, but it can be devastating for its victims and very hard to spot.Barracuda Sentinel has been detecting a large number of phishing campaigns that use legitimate compromised accounts in the UK.Click To Tweet
How the attack works
Account takeover attacks involve criminals stealing the login credentials of an employee of an organization, remotely logging in to their account and launching attacks pretending to be them.
The attacks they launch are most commonly phishing campaigns that will often go undetected by security solutions as they appear to be genuine emails.
Over the last few weeks, we have specifically been seeing a large number of mass phishing campaigns that use legitimate compromised accounts from UK based organizations.
In this post, we survey some anonymized examples of these attacks.
Example 1: Attackers leverage major UK university’s reputation to send phishing attacks that bypass email gateways
In this example, the attackers managed to gain entry into a faculty member of a major UK university’s email account. They used it to send a phishing email to a US-based company with an email claiming that their email account had been deactivated, in order to steal the target’s credentials. This email bypassed the email system defenses because the attack was coming from a legitimate, high reputation sender.
Example 2: UK online retailer compromised, used to impersonate Office 365 90 times
Example 3: UK-based IT provider email account used to impersonate an employee
In this example, the attackers compromised an email account of a reputable UK-based IT provider. They then used that account to send an email impersonating an employee from the target’s company, trying to get them to click on a link. Notice in this example that they fake an email thread, to try to get the employee to believe the email is legitimate. The link itself leads to a compromised website that tries to download malware to the target’s device. Multi-factor authentication (MFA) is imperative to stop these account takeover attacks. Click To Tweet
What can you do to protect yourself?
- Crucially, traditional email security filters cannot detect and prevent account takeover, because they do not monitor and stop malicious internal communication. Barracuda Sentinel is the industry’s first solution that can automatically prevent, detect and remediate account takeover using artificial intelligence. Its unique API-based architecture allows Barracuda Sentinel to monitor and stop malicious internal communication.
- Another essential aspect of protecting yourself against account takeover and other sophisticated email-borne attacks is training and awareness. Barracuda PhishLine provides continuous simulation and training to help employees understand the latest attack techniques and recognize subtle clues.
- It may sound basic, but using strong passwords (ideally with a password manager) and is a great way to decrease the probability of email accounts getting compromised. Good passwords are long, unpredictable and complex, using a combination of uppercase letters, lower case letters, numbers, and special characters.
- Multi-factor authentication (MFA), where two forms of authentication are needed to log in to an account is imperative to stop these kinds of attacks taking place. MFA means that even if a user’s login credentials are stolen, without the trusted device, an attacker cannot access the account, and if a user’s device is taken, the attacker cannot access the account without the login credentials.
Stop impersonation and email account takeover with Barracuda Sentinel.
Asaf Cidon is vice president of content security services at Barracuda Networks. In this role, he is one of the leaders for Barracuda Sentinel, the company's AI solution for real-time spear phishing and cyber fraud defense. Barracuda Sentinel utilizes artificial intelligence to learn the unique communications patterns inside customer organizations to identify anomalies and guard against these personalized attacks. Asaf was previously CEO and co-founder of Sookasa, a cloud storage security startup that was acquired by Barracuda. Prior to that, he completed his PhD at Stanford, where his research focused on cloud storage reliability and performance. He also worked at Google’s web search engineering team. Asaf holds a PhD and MS in Electrical Engineering from Stanford, and BSc in Computer Engineering from the Technion.