This Threat Spotlight was co- authored by Asaf Cidon and Grant Ho of the Barracuda Sentinel team.
Account takeover continues to be one of the fastest growing email security threats, but attackers are starting to adapt, introducing new ways to exploit compromised accounts.
Teaming up with leading researchers at UC Berkeley and UC San Diego, Barracuda researchers uncovered a new and growing type of account takeover attack: lateral phishing. The study found that 1 in 7 organizations experienced lateral phishing attacks over the past seven months.
Of the organizations that experienced lateral phishing, more than 60 percent had multiple compromised accounts. Some had dozens of compromised accounts that sent lateral phishing attacks to additional employee accounts and users at other organizations. In total, researchers identified 154 hijacked accounts that collectively sent hundreds of lateral phishing emails to more than 100,000 unique recipients.
Lateral Phishing — Attackers use hijacked accounts they’ve recently compromised to send phishing emails to an array of recipients, ranging from close contacts within the company to partners at other organizations.Threat Spotlight: Lateral #Phishing - Attackers use hijacked accounts they’ve recently compromised to send phishing emails to an array of recipients #EmailSec #CybercrimeClick To Tweet
One of the most striking aspects of this emerging attack is the scale of potential victims that the attackers target. In total, attackers attempted to use the hijacked accounts to send phishing emails to over 100,000 unique recipients.
While roughly 40 percent of these recipients were fellow employees at the same company as the hijacked account, the remaining 60,000 recipients spanned a range of victims: from personal email addresses that might have been drawn from the hijacked account’s contact book to business email addresses of employees at partner organizations.
Due to the implicit trust in the legitimate accounts they’ve compromised, attackers often use compromised accounts to send lateral phishing emails to dozens, if not hundreds, of other organizations so they can spread the attack more broadly. However, by targeting such a wide range of victims and external organizations, these attacks ultimately lead to increasingly large reputational harm for the initial victim organization.
In an upcoming study, we will diver deeper and explore the range of content, strategies, success, and sophistication that these lateral phishing attacks exhibit. A full length paper on this research will also be presented at the Usenix Security Symposium, one of the top conferences for security research.Attackers often use compromised accounts to send lateral #phishing emails to dozens, if not hundreds, of other organizations so they can spread the attack more broadly #EmailSecClick To Tweet
How to defend against lateral phishing
There are three critical precautions you can take to help protect your organization against lateral phishing attacks: security awareness training, advanced detection techniques, and two-factor authentication.
1. Security awareness training
Improving security awareness training and making sure users are educated about this new class of attacks will help make lateral phishing less successful. Unlike traditional phishing attacks, which often use a fake or forged email address to send the attack email, lateral phishing attacks are sent from a legitimate—but compromised—account. As a result, telling users to check the sender properties or email headers to identify a fake or spoofed sender, no longer applies.
Users can often still carefully check the URL of any link before they click it to help them identify a lateral phishing attack. It is important that they check the actual destination of a link in any email, and not just the URL text that is displayed in the email.
2. Advanced detection techniques
Lateral phishing represents a sophisticated evolution in the space of email-based attacks. Because these phishing emails now come from a legitimate email account, these attacks are becoming increasingly difficult for even trained and knowledgeable users to detect. Organizations should invest in advanced detection techniques and services that use artificial intelligence and machine learning to automatically identify phishing emails without relying on users to identify them on their own.
3. Two-factor authentication
Finally, one of the most important things that organizations can do to help mitigate the risk of lateral phishing is to use strong two-factor authentication (2FA), such as a two-factor authentication app or a hardware-based token if available. While non-hardware based 2FA solutions remain susceptible to phishing, they can help limit and curtail an attacker’s access to compromised accounts.
Asaf Cidon is a professor of electrical engineering and computer science at Columbia University and a Barracuda adviser. He previously served as vice president of content security services at Barracuda Networks. In this role, he was one of the leaders for Barracuda Sentinel, the company's AI solution for real-time spear phishing and cyber fraud defense. Asaf was previously CEO and co-founder of Sookasa, a cloud storage security startup that was acquired by Barracuda. Prior to that, he completed his PhD at Stanford, where his research focused on cloud storage reliability and performance. He also worked at Google’s web search engineering team. Asaf holds a PhD and MS in Electrical Engineering from Stanford, and BSc in Computer Engineering from the Technion.