Threat Spotlight: Bait attacks
As attackers work to make their phishing attacks more targeted and effective, they’ve started researching potential victims, working to collect information that will help them improve the odds that their attacks will succeed. Bait attacks are one technique attackers are using to test out email addresses and see who’s willing to respond.
Based on analysis by Barracuda researchers, just over 35% of the 10,500 organizations analyzed were targeted by at least one bait attack in September 2021, with an average of three distinct mailboxes per company receiving one of these messages.
Here’s a closer look at the ways that attackers are using bait attacks and the techniques they’re using to avoid getting caught, as well as solutions to help you detect, block, and recover from these types of attacks.
Bait attacks — Bait attacks are a class of threats where the attackers attempt to gather information they can use to plan future targeted attacks.
The bait attacks, also known as reconnaissance attacks, are usually emails with very short or even empty content. The goal is to either verify the existence of the victim’s email account by not receiving any "undeliverable" emails or to get the victim involved in a conversation that would potentially lead to malicious money transfers or leaked credentials.
Because this class of threats barely contains any text and does not include any phishing links or malicious attachments, it is hard for conventional phishing detectors to defend against these attacks.
Moreover, to avoid being detected, the attackers typically use fresh email accounts from free services, such as Gmail, Yahoo, or Hotmail, to send the attacks. Attackers also rely on a low volume, non-burst sending behavior in an attempt to get past any bulk or anomaly-based detectors.
While the number of bait attacks is still low overall, they are not unusual. Based on analysis by Barracuda researchers, just over 35% of the 10,500 organizations analyzed were targeted by at least one bait attack in September 2021, with an average of three distinct mailboxes per company receiving one of these messages.
While it is known that bait attacks usually precede some sort of targeted phishing attack, our research team ran an experiment by replying to one of the bait attacks that landed in one of our employee's private mailboxes.
The original attack on August 10, 2021 was an email with a subject line ‘HI’ and an empty body content.
As part of the experiment, the Barracuda employee then replied on August 15, 2021 with an email containing, "Hi, how may I help you?" Within 48 hours on August 17, 2021, the employee received a targeted phishing attack. The original email was designed to verify the existence of the mailbox and the willingness of the victim to respond to email messages.
How to protect against bait attacks?
Deploy AI to identify and block bait attacks. Traditional filtering technology is largely helpless when it comes to blocking bait attacks. The messages carry no malicious payload and usually come from Gmail, which is considered highly reputable. AI-based defense is a lot more effective. It exploits data extracted from multiple sources including communication graphs, reputation systems, and network-level analysis to be able to protect against such attacks.
Train your users to recognize and report bait attacks. Some of these attacks may still land in users’ inboxes, so train your users to recognize these attacks and not reply. Include examples of bait attacks in your security awareness training and simulation campaigns. Encourage users to report these to your IT and security teams.
Don’t let bait attacks sit inside users’ inboxes. When bait attacks are identified, it’s important remove them from users’ inboxes as quickly as possible before users open or reply to the message. Automated incident response can help identify and remediate these messages in minutes, preventing further spread of the attack and helping to avoid making your organization a future target.
This Threat Spotlight was authored by Olesia Klevchuk with research support from Mohamed Ibrahim, Principal Machine Learning Engineer.