Emails coming from legitimate, compromised accounts are difficult to spot, both for existing email protection systems and the recipients themselves.
Lateral phishing tactics
Researchers from Barracuda, UC Berkeley and UC San Diego have studied 180 lateral phishing incidents and have identified the following patterns organizations and individuals should be aware of:
- One in 10 of the lateral phishing attacks succeed
- 42% don’t get reported to the organization’s IT or security team
- 98% of the lateral phishing incidents occurred during a weekday
You would think that most lateral phishing would take the form of refined and highly personalized messages, but in most cases that’s not true.
“Across the incidents studied, our researchers found that the majority of lateral phishing attacks rely on two deceptive narratives: messages that falsely alert the user of a problem with their email account, and messages that provides a link to a fake ‘shared’ document, Barracuda said in a recently released report.
These types of commonplace messages represent 63 percent of the lateral phishing emails. In 30 percent of the cases, the language used was adapted to target enterprise organizations (e.g., “Updated work schedule. please distribute to your teams”).
“In the most sophisticated approach, 7 percent of the attacks involved highly targeted content that was specific to the hijacked account’s organization. For example, in one email account takeover incident, the attacker compromised an account at an organization that was about to celebrate its 25th anniversary. Using the hijacked account, the attacker sent dozens of spear-phishing emails to fellow employees advertising a 25th year anniversary celebration event,” the company shared.
In most of the cases (45%), the attackers tried to compromise random accounts and didn’t go after victims with some tie to the hijacked account (those have been targeted in just 29 percent of attacks). Also, apparently, this batch of studied incidents didn’t involve BEC scammers, as the attackers used the hijacked account to send business partners of the hijacked account’s organization in just 1 percent of the observed cases.
Another interesting discovery: recipients of the lateral phishing emails often found the emails suspicious and replied to the hijacked account to ask whether the email was legitimate or intended for them. In 17.5% of the cases, the attackers replied with reassurances that the email was legitimate and the attachment/email safe to open.
Finally, in order to keep their access to the compromised accounts as long as possible, attackers have been known to delete the phishing emails they sent and the replies they received to them.
Defense
Being aware of these tactics is one way individuals and organizations can protect themselves. Another one is to use security solutions that are geared towards spotting them. Protecting accounts with 2-factor authentication (preferably hardware-based) could also thwart most (if not all) of these attacks.
Ideally, organizations should combine all of these solutions.