Earlier this year Barracuda teamed up with researchers at UC Berkeley and UC San Diego to explore the growing trend of lateral phishing. In this type of attack, cybercriminals use hijacked accounts they’ve recently compromised to send phishing emails to an array of recipients, ranging from close contacts within the company to partners at other organizations. The research found that 1 in 7 organizations experienced lateral phishing attacks in a seven-month period.
For more details on account takeover and lateral phishing, check out the Threat Spotlight, download the Spear Phishing: Top Threats and Trends – Vol. 2, or register for the free on-demand webinar with Asaf Cidon, Barracuda advisor and professor of electrical engineering and computer science at Columbia University.
To get a closer look at this research, we spoke with Grant Ho, the UC Berkeley researcher who worked closely with the Barracuda team on the project. At this year’s USENIX Security conference Grant presented on the paper the team published about lateral phishing. The paper earned a distinguished paper award at the conference, an honor given to less than 1% of submitted papers.
Q: Tell me about how you chose the topic. Why focus on lateral phishing?
GH: Anecdotally, we’d heard about this kind of attack more and more over the years, lateral phishing from compromised or hijacked employee accounts. In my work a few years ago on detecting spear-phishing attacks, we had seen some of this kind of phishing but not a whole lot. Over four years of data we’d only seen really two of these sorts of attacks. So, we knew that it existed, and we had heard that it was growing, but no one really understood how significant the threat was or ways to practically defend against this sort of attack as it evolved. The big barrier was we didn’t have any data.
Asaf [Cidon] and Lior [Gavish], who were wonderful Barracuda hosts for this research project, saw one of these talks on my old work, and after the talk they asked about this problem of lateral phishing and what my thoughts were. We kept talking about working together, and Asaf and Lior assured me that Barracuda was very much interested in supporting cutting edge research and building better state-of-the-art defenses and that this project would be something we’d be able to publish for the broader community’s benefit. It sounded like an amazing opportunity to have real-world impact on real data with collaborators in an organization that would support research, so it was too good of an opportunity to pass up.Find out what two discoveries surprised researchers the most in Barracuda’s recent research on #AccountTakeoverClick To Tweet
Q: What surprised you as you started to dig in and do the research?
GH: One thing that stood out to me was how widespread this kind of attack was. In my head, I thought because lateral phishing involves an already compromised employee’s account, that it might affect 1 in every 100 organizations or 5 in every 100 organizations. It turned out there were many more organizations that we found that were encountering this threat in the wild. 1 out of 7 organizations suffered from this kind of attack, across dozens of organizations in our study. That statistic was very surprising to me. It was a lot larger than I expected.
In our analysis we tried to study how attackers are strategizing and crafting their attack, so we looked at things like how tailored are they making their messages, how are they choosing the victims they target, what kind of other behaviors are they doing in the accounts. So, the paper goes into more detail, but what they were investing time and effort in wasn’t necessarily what I thought they would have been doing initially. That was another surprise.
Q: What did you think they’d be spending their time on?
GH: I thought they would have been taking those hijacked accounts, reading through their emails, and trying to craft very, very personalized messages to their victims. Some of the attackers were crafting sophisticated messages, so we did see some of that, but by and large, these attackers were using fairly commonplace messages that weren’t very tailored to their victims. They were sending things like “Please view this attached work schedule” or “Please open this invoice.” They were definitely things that people encounter in everyday business dealings, but they’re not so specific. In retrospect, it makes sense that so many attackers would use this strategy because it’s something that in an enterprise setting you would totally expect to get from a colleague. So, it was interesting to see that once attackers have a hijacked account they don’t need to make things super personalized because there are many kinds of generic, everyday things that appear at every organization, and attackers can reuse this storyline to trick their victims because it is so common.3 key lessons on #AccountTakeover. See what researchers think you should learn from this recent @Barracuda research #EmailSecClick To Tweet
Q: What do you think are the most important lessons from this study? What do businesses need to know?
GH: At a high level many organizations right now think about defending their organization at their border. In other words, they think about attacks coming from outside people, external entities. What lateral phishing does is it turn that paradigm on its head because these attacks are coming from already compromised victims and employees within the organization. And, so much defensive technology has been thinking about defending against external attacks. This work with Barracuda was to say, OK, let’s begin to develop technology or push the existing technology to incorporate these kinds of threats.
One hypothesis we have is that attackers are becoming more and more attuned to the fact that people and defensive systems are honed in on defending against external attacks, and so if they’re just able to get within the organization by compromising someone then it is so much easier and much more effective to launch an attack from there. So, this idea that we need to not just defend against external threats but also defend against threats that come from within is very valuable
Another lesson is that phishing is becoming harder and harder for users to detect, through no fault of their own. We have told users different pieces of phishing advice for so long that attackers are evolving. For example, one common piece of phishing advice is “Check that the sender is actually who they are, and not some cleverly spoofed or forged or masqueraded identity.” But, in a lateral phishing attack, that is not going to help you. These attackers are using a real person’s account that they’ve compromised and hijacked. So, we need automated systems to help defend against these attacks because they’re becoming increasingly more difficult for any user, security-trained or not, to self-identify.
Anne Campbell is the public relations manager for Barracuda. She's been with the organization since 2014, working on content and public relations for Barracuda MSP, the MSP-dedicated business unit of Barracuda. She started her career in newspaper and magazine journalism, and she brings that editorial point of view to the work she does, using it to help craft compelling stories.