The onslaught of targeted email attacks such as business email compromise, spear phishing, and ransomware continues uninterrupted, costing organizations of all types and sizes billions of dollars. Cybercriminals know that employees are the weak link in any organization and thus, they need only to convince these targets that they are someone who should be trusted in order to achieve success. In terms of methods used to deceive employees, email spoofing and display name deception have been the “go-to” techniques. However, security leaders charged with reducing this risk need to factor in yet another form of email-based identity deception tactic. According to recent Agari research, there has been a 126% increase of targeted email attacks that exploit account takeovers (ATOs) to con victims.
Prior to 2017, concerns over ATO-based email attacks were virtually non-existent. However, in early 2017, the Google Docs ATO Worm Attack brought a spotlight to the problem when it struck over a million users in only a few hours. Most recently, Agari has found that one in four advanced email attacks involve the use of a compromised account.
As these attacks continue to rise, organizations should be evaluating whether their existing email security controls can analyze, detect, and block ATO-based email attacks. This report discusses a typical ATO-based email attack flow, why they are so effective, and why organizations should be placing a high priority on stopping this type of attack. Finally, the paper will introduce Agari Phishing Defense™ and explain how its core Agari Identity Graph™ technology works to stop account takeover-based email attacks and protect organizations from the most dangerous type of threat.
An account takeover-based email attack is the process of gaining unauthorized access to a trusted email account, and using this compromise to launch subsequent email attacks for financial gain or to execute a data breach. Since ATO-based attacks originate from email accounts of trusted senders, traditional security controls cannot detect such attacks. Moreover, given the pre-existing trust in relationships, launching a targeted attack such as a business email compromise scam from such an account increases the likelihood that the attack will succeed.
Account takeover-based email attacks rely on leveraging a compromised account or endpoint as a launchpad for other email attacks. To achieve this goal, cybercriminals follow the below process:
Step 1: Gain Account Access
The attacker attempts to gain access to a user account by launching a spear phishing or malware-based email attack. Alternatively, with the proliferation of data breaches, they may simply purchase email account credentials from the dark web at a reasonable price.
Step 2: Establish Account Control
The attacker establishes persistent control of the account without alerting the victim or any security personnel. For example, the attacker may implement the following:
The longer the attacker controls the account, the more information can be gathered, and higher degree of mission success.
Step 3: Conduct Internal Reconnaissance
The attacker conducts internal reconnaissance to determine how the compromised account can be exploited. For example, the attacker may use a set of manual or automated scripts to determine the following:
Additionally, the attacker may lay dormant, observing email communication between the original account owner and their contacts with plans to eventually hijack the conversation.
Step 4: Account Takeover-Based Attack
If the attacker determines that assets can be retrieved directly from the account, he will immediately move to the next step. Otherwise, the attacker will launch a targeted email attack against the contact list of the controlled account. The type of targeted email attack will be dependent on the previous reconnaissance and could consist of a business email compromise scam to extract funds or a spear-phishing campaign to gain a deeper foothold into the organization.
Step 5: Complete Mission
Depending on the targeted email attack, the attacker will move to exfiltrate the sensitive information or funds, or repeat this process if user accounts credentials were requested from higher-value targets.