The onslaught of targeted email attacks such as business email compromise, spear phishing, and ransomware continues uninterrupted, costing organizations of all types and sizes billions of real dollars lost1 . Cybercriminals know that employees are the weak link in an organization and need only to convince these targets that they are someone who should be trusted to achieve success. In terms of methods used to deceive employees, email spoofing and display name deception have been the “go-to” techniques. However, security leaders charged with reducing this risk need to factor in yet another form of email-based identity deception tactic. According to recent Agari research, there has been a 126% increase of targeted email attacks that exploit account takeovers (ATO).
Prior to 2017, concerns over ATO-based email attacks were virtually nonexistent. However, in early 2017, the Google Docs ATO Worm Attack2 brought a spotlight to the problem when it struck over a million users in only a few hours. Most recently, a new Osterman Survey3 found that 44% of organizations were victims of targeted email attacks launched via a compromised account in the past 12 months.
As these attacks continue to rise, organizations should be evaluating whether their existing email security controls can analyze, detect, and block ATO-based email attacks. This report discusses a typical ATObased email attack flow, why they are effective, and why organizations should be placing a high priority on stopping these attacks in 2019 and beyond. Finally, the paper will introduce Agari Advanced Threat Protection™ and explain how its core Agari Identity Graph™ technology works to stop ATO-based email attacks.
An account takeover (ATO)-based email attack is the process of gaining unauthorized access to a trusted email account, and using this compromise to launch subsequent email attacks for financial gain or to execute a data breach. Since ATO-based attacks originate from email accounts of trusted senders, traditional security controls cannot detect such attacks. Moreover, given the pre-existing trust relationships, launching a targeted attack such as a business email compromise from such an account increases the likelihood that the attack will succeed. Account takeover-based email attacks rely on leveraging a compromised account or endpoint as a launchpad for a targeted email attack such as business email compromise. To achieve this goal, cybercriminals follow the below process:
Step 1: Gain Account Access
The attacker attempts to gain access to a user account by launching a spear phishing or malware based email attack. Alternatively, with the proliferation of data breaches, he may simply purchase email account credentials from the dark web at a reasonable price:
Step 2: Establish Account Control
The attacker establishes persistent control of the account without alerting the victim or any security personnel. For example, the attacker may implement the following:
The longer the attacker controls the account, the more information can be gathered, and higher degree of mission success.
Step 3: Conduct Internal Reconnaissance
The attacker conducts internal reconnaissance to determine how the compromised account can be exploited. For example, the attacker may use a set of manual or automated scripts to determine the following:
Additionally the attacker may lay dormant, observing email communication between the original account owner and their contacts with plans to eventually hijack the conversation.
Step 4: ATO-Based Attack
If the attacker determines that assets can be retrieved directly from the account he will immediately move to Step 5. Otherwise, the attacker will launch a targeted email attack against the contact list of the controlled account. The type of targeted email attack will be dependent on the previous reconnaissance and could consist of a business email compromise scam to extract funds or a spear phishing campaign to gain a deeper foothold into the organization.
Step 5: Complete Mission
Depending on the targeted email attack, the attacker will move to exfiltrate the sensitive information or funds, or repeat the ATO process if user accounts credentials were requested.