Conversation-hijack threat gets personal: security professionals speak out

News by Davey Winder

Unlike your typical business email compromise (BEC) attack, hackers get an insider view into organisation and business deals, with the potential to lead to similar impacts to BEC, but via a different route

Newly published research by Barracuda has revealed an upwards trend as far as domain-impersonation, or typo-squatting if you prefer, attacks are concerned. Nothing overly unusual about that as 'near-enough' URLs have been a de rigueur part of the online fraudscape for the longest time. What caught our eye here at SC Magazine UK, however, is how threat actors are using domain-impersonation in one particular variety of attack: conversation-hacking.

Conversation-hacking, or hijacking as the terms are pretty much interchangeable, occurs when a cyber-criminal inserts themselves into an existing business conversation. Alternatively, the perpetrator may start a new conversation using information typically gleaned from open-source intelligence (OSINT) or compromised email accounts. More often than not, Barracuda says, conversation-hacking will be part of an account-takeover attack.

The Barracuda research, which analysed half a million monthly email attacks, shows a 400 percent increase in domain-impersonation attacks used specifically to facilitate conversation-hacking. In July 2019, for example, there were 500 of these attack methodologies discovered; by November that number had risen to more than 2,000.

In the overall phishing landscape view, such attacks represent what Barracuda refers to as an "extremely low" volume, but warns the attacks are, however, sophisticated and "very personalised, making them effective, hard to detect and costly."

Unlike your typical business email compromise (BEC) attack, Don Maclennan, SVP engineering and product at Barracuda Networks, told SC Media UK, "hackers have an insider view into organisation and business deals through a compromised email account. They will use this knowledge to insert themselves into and hijack the conversation at the right time, steering the conversation in the direction that will financially benefit them." These attackers will invest both time and money with the prospect of a profitable pay out. "Because the attacks are highly personalised in nature it can be very difficult to detect," Maclennan warns, "the damage could have already been done before the user realises it’s an attack."

Professor Steven Furnell, senior member of the IEEE, associate dean and professor of information security at University of Plymouth, agrees that such conversation hijacking attacks "essentially have the potential to lead to similar impacts to BEC, but via a different route." Professor Kevin Curran, senior IEEE member and professor of cybersecurity at Ulster University, meanwhile, says that the threat actors will utilise such advanced and more determined phishing methods if they are sure the target is a high-value account holder. Conversation-hacking "increases the chances of them having malicious email links clicked on," Curran says, "which lead in many cases to banking trojans becoming installed."

Whereas 'unsupported' phishing attacks are so generic they can easily be spotted and ignored, Curran continues, a conversation-hacking attack uses "relevant supporting information which tricks the victim." Mitigation requires a holistic people-centric cyber-security approach that includes effective security awareness training and layered defences. "A simple mantra for employees is to trust no one," Curran says, "this is the number one step which can make taken to prevent conversation hacking."

This is an important point, as the attackers are often masters of their art. "The attackers only register the fake domain an hour before they initiate the attack, lowering the likelihood of automated tools recognising the faked site as dangerous," Tom Roberts, senior consultant at Pen Test Partners, told SC Media UK. They will also probably ask about things that would not normally be deemed sensitive. "Recent cases have seen requests made for Aged Debtors (next 30 days) reports," Roberts explains, "debtors are contacted with instructions to pay the outstanding amount to a new bank account. As the attacker has all the relevant details of the debt, they appear to be legitimate and the end company ie the victim is defrauded."

Because the entire attack window, from setting up the domain to conning the victim, can be under two hours, Roberts points out the attackers are not following traditional social engineering long-game tactics, "thereby avoiding blue team detection as by the time the issue is flagged, the scammers have cashed out and moved on to the next target." 

We will leave the final 'trust no one' mitigation word with Javvad Malik, security awareness advocate at KnowBe4, who told SC Media UK that staff should always "exercise caution and drop a quick note out of bounds, either by SMS or a phone call, to the person asking if it is genuine as well as reporting the email as suspicious using internal reporting processes."

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews