Account takeover-based email attacks are on the increase because they often succeed. In fact, 44% of organizations have been the victims of account takeover (ATO) attacks. Your organization’s existing controls may no longer be enough to guard against ATO-driven financial fraud, credential theft, and brand damage.

Download your copy of the white paper now to learn more about:

  • A typical account takeover-based email attack flow;
  • Why ATO-based attacks are so effective at targeting your employees; and
  • How to prevent these types of email attacks—now and in the future.

Executive Summary

The onslaught of targeted email attacks such as business email compromise, spear phishing, and ransomware continues uninterrupted, costing organizations of all types and sizes billions of real dollars lost1 . Cybercriminals know that employees are the weak link in an organization and need only to convince these targets that they are someone who should be trusted to achieve success. In terms of methods used to deceive employees, email spoofing and display name deception have been the “go-to” techniques. However, security leaders charged with reducing this risk need to factor in yet another form of email-based identity deception tactic. According to recent Agari research, there has been a 126% increase of targeted email attacks that exploit account takeovers (ATO).

Prior to 2017, concerns over ATO-based email attacks were virtually nonexistent. However, in early 2017, the Google Docs ATO Worm Attack2 brought a spotlight to the problem when it struck over a million users in only a few hours. Most recently, a new Osterman Survey3 found that 44% of organizations were victims of targeted email attacks launched via a compromised account in the past 12 months.

As these attacks continue to rise, organizations should be evaluating whether their existing email security controls can analyze, detect, and block ATO-based email attacks. This report discusses a typical ATObased email attack flow, why they are effective, and why organizations should be placing a high priority on stopping these attacks in 2019 and beyond. Finally, the paper will introduce Agari Advanced Threat Protection™ and explain how its core Agari Identity Graph™ technology works to stop ATO-based email attacks.

What Does a Typical Ato-based Email Attack Look Like?

An account takeover (ATO)-based email attack is the process of gaining unauthorized access to a trusted email account, and using this compromise to launch subsequent email attacks for financial gain or to execute a data breach. Since ATO-based attacks originate from email accounts of trusted senders, traditional security controls cannot detect such attacks. Moreover, given the pre-existing trust relationships, launching a targeted attack such as a business email compromise from such an account increases the likelihood that the attack will succeed. Account takeover-based email attacks rely on leveraging a compromised account or endpoint as a launchpad for a targeted email attack such as business email compromise. To achieve this goal, cybercriminals follow the below process:

Step 1: Gain Account Access

The attacker attempts to gain access to a user account by launching a spear phishing or malware based email attack. Alternatively, with the proliferation of data breaches, he may simply purchase email account credentials from the dark web at a reasonable price:

Step 2: Establish Account Control 

The attacker establishes persistent control of the account without alerting the victim or any security personnel. For example, the attacker may implement the following:

  1. Create audit rules to delete his own malicious email activity
  2. Set up forwarders to silently monitor user communication
  3. Augment password change processes to maintain password control

The longer the attacker controls the account, the more information can be gathered, and higher degree of mission success.

Step 3: Conduct Internal Reconnaissance 

The attacker conducts internal reconnaissance to determine how the compromised account can be exploited. For example, the attacker may use a set of manual or automated scripts to determine the following:

  • Does the compromised account or user credentials give direct access to monetizable data, either locally or on other systems?
  • Can the victim’s contacts be exploited to achieve the final mission of financial fraud or data exfiltration?
  • Can the victim’s contacts be exploited to compromise other high value accounts?

Additionally the attacker may lay dormant, observing email communication between the original account owner and their contacts with plans to eventually hijack the conversation.

Step 4: ATO-Based Attack 

If the attacker determines that assets can be retrieved directly from the account he will immediately move to Step 5. Otherwise, the attacker will launch a targeted email attack against the contact list of the controlled account. The type of targeted email attack will be dependent on the previous reconnaissance and could consist of a business email compromise scam to extract funds or a spear phishing campaign to gain a deeper foothold into the organization.

Step 5: Complete Mission

Depending on the targeted email attack, the attacker will move to exfiltrate the sensitive information or funds, or repeat the ATO process if user accounts credentials were requested.

Mail Letter

Would you like the confidence to trust your inbox?