Cybercriminals are increasingly registering accounts with legitimate services, such as Gmail and AOL, to use them in impersonation and BEC attacks, according to Barracuda Networks.
BEC attacks impact thousands of organizations
In their most recent threat spotlight report, Barracuda researchers observed that 6,170 malicious accounts that have used Gmail, AOL and other email services, have been responsible for over 100,000 BEC attacks which have impacted nearly 6,600 organizations. What’s more, since April 1, these ‘malicious accounts’ have been behind 45% of all BEC attacks detected.
Essentially, cybercriminals are using malicious accounts to impersonate an employee or trusted partner, and send highly personalized messages for the purpose of tricking other employees into leaking sensitive information, or sending over money.
Cybercriminals prefer Gmail
The preferred choice of email service for malicious accounts is Gmail, which accounts for 59% of all email domains used by cybercriminals. Yahoo! is the second most popular, accounting for just 6% of all observed malicious account attacks.
Researchers also observed that 29% of malicious accounts are used for less than 24-hour periods – most likely to avoid detection and suspensions from email providers. However, it’s not unusual for cybercriminals to return and re-use an email address for an attack after a long break.
Having analyzed attacks on 6,600 organizations, Barracuda researchers found that in many cases, cybercriminals used the same email addresses to attack different organizations. The number of organizations attacked by each malicious account ranged from one, to a single mass scale attack that impacted 256 organizations — 4% of all the organizations included in the research.
Similarly, the number of email attacks sent by a malicious account ranged from one to over 600 emails, with the average being only 19.
“The fact that email services such as Gmail are free to set up, just about anyone can create a potentially malicious account for the purpose of a BEC attack. Securing oneself against this threat requires organizations to take protection matters into their own hands – this requires them to invest in sophisticated email security that leverages artificial intelligence to identify unusual senders and requests,” said Michael Flouton, VP Email Protection, Barracuda Networks.
“However, no security software will ever be 100% effective, particularly when the sender appears to be using a perfectly legitimate email domain. Thus, employee training and education is essential, and workers should be made aware of how to manually spot, flag and block any potentially malicious content.”