Lateral phishing uses real accounts for bogus campaigns

Phishing campaigns gain strength by moving from forging mail to compromising legitimate accounts

Since the democratisation of the internet, cyber-security experts have been continuously improving their defence against phishing attacks. However, modern-day attackers have often been successful in using phishing attacks. The latest salvo to come out of their arsenal is lateral phishing.

Teaming up with leading researchers at UC Berkeley and UC San Diego, Barracuda researchers discovered this new and growing type of account takeover attack, which they detailed in an in-depth study report. According to the study, one in seven organisations experienced lateral phishing attacks over the past seven months. 

"In a lateral phishing attack, adversaries leverage a compromised enterprise account to send phishing emails to other users, benefitting from both the implicit trust and the information in the hijacked user’s account," the report explained the situation.

More than 60 percent of the target organisations had multiple compromised accounts, even dozens in some cases, boosting the scope of the attack. Researchers spotted 154 hijacked accounts that together sent hundreds of lateral phishing emails to more than 100,000 unique recipients, said the report.

"One of the most striking aspects of this emerging attack is the scale of potential victims that the attackers target. In total, attackers attempted to use the hijacked accounts to send phishing emails to more than 100,000 unique recipients," said Asaf Cidon, senior VP at Barracuda Networks.

"While roughly 40 percent of these recipients were fellow employees at the same company as the hijacked account, the remaining 60,000 recipients spanned a range of victims: from personal email addresses that might have been drawn from the hijacked account’s contact book to business email addresses of employees at partner organisations," he said. 

Another easy way of entry was by compromising the supply-chain, noted Cidon. "Obviously if the email is coming from a trusted supplier, it is likely to get opened. If the attacker is asking for an overdue payment, they are likely to get the money relatively easily."

To make the most of the trust factor, attackers chose peak hours of working days to send their phishing emails, noted the report. The attack was not confined to business organisations alone.

Cidon cited the example of a higher educational institution, whose email system was infiltrated when the attackers sent one of the student's a phishing email, pretending to come from Microsoft Outlook and alerting them about a fake security incident in their account. 

"The student believed the email was legitimate, and clicked on the link, which took them to a website owned by the attackers that looks exactly like the Outlook login page. The student then entered their email and password, which gave the attackers access to the student's account," he elaborated.

The attackers accessed the student's password and logged remotely to the student's O365 Outlook account. Initially they sent hundreds of internal phishing emails to students, faculty and staff, over a period of several days, which allowed them to steal the passwords of dozens of other accounts. Then they started sending phishing campaigns from the compromised account to thousands of other recipients in external organisations, such as banks, healthcare companies and government institutions. 

"Since the email came from the school's domain, it was viewed as trusted by the third-party email providers, which did not stop it as spam or phishing. We presume that this led to even further compromised accounts," said Cidon.

Phishing continues to be the most preferred method for criminals to pluck low-hanging fruits. The Financial Crimes Enforcement Network (FinCEN), USA, this week said that email scammers are making at least £240 million in untaxed takings every month in the US alone. According to the agency, the number of suspicious activity reports describing business email compromises has more than doubled to over 1,100 per month last year, from around 500 per month in 2016.

Organisations have to increasingly invest in continuous cyber-security education of their human capital, said Ilia Kolochenko, founder and CEO of ImmuniWeb.

"No technology can resolve or mitigate all risks and threats without well-prepared people behind it. Contrariwise, even with imperfect or flawed technology, learned people will easily repel most of the phishing and similar attacks," he said. 

Security awareness training is the most important step in countering phishing, agrees Cidon. "Unlike traditional phishing attacks, which often use a fake or forged email address to send the attack email, lateral phishing attacks are sent from a legitimate but compromised account. As a result, telling users to check the sender properties or email headers to identify a fake or spoofed sender, no longer applies," he said. 

"From a technology standpoint, organisations should invest in continuous security monitoring practices. Yearly or even quarterly audits are insufficient to resist the growing volume and sophistication of cyber-crime," said Kolochenko.

Installing advanced detection techniques and putting two-factor authentication in place are equally important, Cidon said. "While non-hardware based 2FA solutions remain susceptible to phishing, they can help limit and curtail an attacker’s access to compromised accounts."

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews