The lurking danger of hacked email reply chains

Although phishing has been around in various forms since the 1990s, recent news has shown that it continues to evolve – and remains a major threat. These days, phishing tactics are so sophisticated it can be difficult to spot a scam – particularly in the case of hijacked email reply chains.

This approach sees a cybercriminal gain access to a colleague or supplier’s email. The criminal jumps into a legitimate email conversation adding a fake message pushing malware.

What factors create trust?

Believability is the key difference between a regular phishing attack and a hijacked email chain. The criminals behind these campaigns take their time breaking into email accounts, watching business conversations, negotiations, and transactions. At the opportune time, they launch their attacks at plausible moments when the recipient’s guard is down. Most commonly, these attacks have been attributed to banking trojan campaigns, such as Ursnif or Gozi.

The whole conversation looks entirely legitimate, with the correct logos, email addresses and even tone of voice. A message like this is very likely to get through any email filtering solution and the victim will open it since it looks like it’s from a trusted sender. There are numerous reports of these attacks occurring online.

While the conversation-hijacking attacks are currently being used to distribute a banking trojan, this spear-phishing tactic could be used in many other types of attack. The distribution of Gozi using these methods is indicative of the actions of a specific crime ring.

What you can do

Faced with such an advanced threat, it might seem impossible to stay safe. However, there are a few tips that can help defend against attacks. First, never turn macros on, or trust a document that asks for macros to be turned on. Especially if it’s a Microsoft Office file that demands hidden content to be shown, as macros are a very common attack vector.

Always make sure to keep the operating system updated. It’s important to pay attention to what file you are about to open, as any document that suggests modifying the security settings within Microsoft Office should be treated with extreme caution.

Most security-savvy internet users already mistrust emails from people they don’t know. Unfortunately, it is now time to apply suspicion to trusted senders too. Attackers commonly try to spoof email addresses to look like those you’re familiar with and may even gain control of an email account belonging to a person familiar to you such as a boss or trusted vendor. Always err on the side of caution when it comes to emails asking you to download attachments.

Finally, it’s important to protect email accounts from being hijacked. Attackers can use techniques like alternate inboxing to send messages from an account without the user’s knowledge. Be sure to secure the account with strong passwords, two-factor authentication, or use a secure password manager and encourage friends and colleagues to do the same.

Finally, if an email appears suspicious, the best way to check its legitimacy is to contact the sender directly, most commonly over the phone. The person at the end of the line should be able to verify their supposed activity.

Phishing attacks will only become more convincing with time and organizations must ensure that they are educating staff on new campaigns and applying the appropriate security software to mitigate threats. Remaining vigilant and paying attention to who the sender of unexpected emails is will always make you that much safer.