Account takeover incidents, where attackers steal the credentials of employees and use them to send emails from the user’s real account, are increasing in frequency and magnitude. In this Threat Spotlight, we take a closer look at the motives and demographics behind these attacks.
Account Takeover – attackers attempt to steal user credentials in order to launch attacks from an internal account.
Account takeover (ATO) attacks have multiple objectives. Some attackers try to use the hacked email account to launch phishing campaigns that will go undetected, some attackers steal credentials of other employees and sell them in the black market, and others use the account to conduct reconnaissance to launch personalized attacks. The most sophisticated attackers steal the credentials of a key employee (e.g., CEO or CFO), and use them to launch a Business Email Compromise attack from the real employee’s email address.
To better understand the extent of account takeover, Grant Ho, along with the Barracuda Sentinel team, ran a study on 50 randomly selected organizations. These organizations span different sectors, including private companies, public organizations, and educational institutions. These organizations reported account takeover incidents to us over a three month period, from the beginning of April until the end of June 2018. Note that this study may underestimate the number of real account takeover incidents, since some incidents may have taken place without the organization’s knowledge.
The above table includes a summary of the incidents reported by these organizations. An account takeover incident is defined as an employee’s email being used by an attacker to email other people, either internal employees or external parties.
Overall, in each month 4-8 organizations reported at least one account takeover incident, and the total number of incidents reported was 60. On average, when a company got compromised, the compromise resulted in at least 3 separate account takeover incidents, where either the same or different employees accounts were used for nefarious purposes.
We also analyzed the type of incidents. Out of the 60 incidents, 78% resulted in a phishing email. In these phishing emails, the goal of the attacker was typically to infect additional internal and external accounts. The email usually impersonates the employee and asks the recipient to click on a link. The attackers sometimes made the email appear as if the employee is sending an invitation to a link from popular web services, such as OneDrive or DocuSign.
Another 17% of incidents were used as platforms for sending spam campaigns. The reason attackers love using compromised accounts as vehicles for launching spam is that the accounts often have very high reputations: they are coming from reputable domains, from the correct IP, and from real people that have a legitimate email history. Therefore, they are much likely to get blocked by email security systems that rely on domain, sender or IP reputation.
Finally, 5% of incidents involved in the attacker asking the recipient to download an attachment. These incidents all involved internal email traffic. This attack is effective because most email security systems do not scan internal traffic for threats. Therefore, attackers can send malware with relative ease internally, and the recipients will often open the attachments, which will cause their endpoints to get infected.
We also analyzed the roles of the employees that got compromised. Over the 3 months, 50 different email accounts got compromised (some accounts were compromised multiple times). We include the results below.
Only 6% of the compromised employees were executives. In fact, the vast majority were in either entry-level or mid-management roles. This demonstrates that account takeover is a widespread phenomenon and is not just targeting high-level employees. In fact, often lower-level employees are better targets because they have less cybersecurity training. In addition, given the fact that many incidents are used to phish other employees or external parties, the attackers are looking for any way they can get into the network, even if it’s through a “lower-level” email account. Once they are through, they can exploit the reputation of the company and its brand to their advantage.
Although account takeover attacks are widespread, attackers continue to target the specific departments that have been the most lucrative in terms of information and financial gain.
22% of the incidents occurred to employees in sensitive departments. Sensitive departments include HR, IT, finance and legal. The aggregate number of employees in these departments within the organizations we study is much lower than 22%. Therefore, this shows that while these incidents are widespread, there are still specific departments that attackers have a strong preference to go after because they are the most lucrative targets for information and financial theft.