It’s time to talk to customers about conversation hijacking

There are a few best practices that can help institute a robust, holistic security approach designed to prevent account-takeover and conversation hijacking attacks.

By Chris Crellin, Senior Director of Product Management, Barracuda MSP

Chris Crellin, senior director of product management for Barracuda MSP

While not as widespread as other types of cyber-attacks, conversation hijacking is a rapidly growing account takeover (ATO) attack method that can be highly effective and difficult to detect. To protect their employees and their data, your clients will need both education and the right technology. For MSPs who want to keep client networks safe, it may be time to discuss conversation hijacking.

Recent research by Barracuda Networks highlights the growing dangers of these attacks. According to the report, an analysis of approximately 500,000 monthly email attacks shows a 400 percent increase during 2019, going from about 500 incidents at the beginning of the year, to roughly 2,000 incidents by November of last year.

Cybercriminals either insert themselves into existing email conversations or initiate new ones using information they have gleaned from a compromised email account or other online sources in a conversation hijacking attack. The attackers read emails and monitor the compromised account to learn as much as possible to trick employees into sharing sensitive passwords, data, or access to financial resources.

They then use email-domain impersonation techniques to leverage the compromised account information. By creating clever and legitimate sounding messages based on existing conversations between employees and partners, they can fool employees into sharing information or even wiring money.

Best Practices to Counter Conversation Hijacking

These attacks are far more sophisticated than standard phishing attempts. Attackers often spend months gathering enough intelligence to impersonate company executives, business partners or vendors, effectively. The tell-tale signs of a typical phishing scheme are nowhere to be found, making it much more challenging for both security solutions and employees to spot a fraudulent email.

This is where employee training is critical — staff must be educated enough to watch for signs of a potential account takeover and be well-versed in company policies that might, for example, prohibit money transfers based on simple email requests. New and advanced security tools, such as artificial intelligence-based systems, can also help analyze communication patterns and identify potential fraudulent emails.

There are a few best practices to follow to help institute a robust, holistic security approach that will help prevent account takeover and conversation hijacking attacks:

  1. Train employees about what these attacks look like, how to identify and report them, and the danger they pose. Phishing simulation exercises are a powerful tool for conducting and reinforcing that training, and can identify the most vulnerable employees and provide additional support.
  1. Encourage the adoption of strong internal policies to prevent data sharing and fraudulent money transfers. Employees let their guards down when they believe they are working with a trusted partner, vendor, or interacting with a co-worker or executive. Ensure enforceable policies are established to place extra safeguards around sharing important data or transferring money. There should be requirements for phone confirmations, in-person discussions, or third-party approvals.
  1. Implement account takeover protection as part of a robust cybersecurity platform. Multi-factor authentication (MFA) adds a security layer, but advanced, AI-based solutions can help recognize compromised accounts automatically, alert users, and delete or quarantine malicious emails.

These AI-based systems can be very effectives as they do not rely on looking for malicious links, attachments to spot vulnerabilities. Instead, the machine learning engines in these solutions can learn what normal communication patterns look like, and then spot deviations that might indicate a compromised account or an ongoing attack.

  1. Keep an eye on account logins and domain registrations. Technology can help companies look for unusual IP addresses or logins from unexpected locations. Changes in email account inbox rules can also indicate an account takeover, so the ability to automatically monitor those changes is critical. Watch for similar-sounding domain registrations and other indicators that an attack might be underway or that someone is planning to use typo-squatting techniques to launch a future attack. 

While conversation hijacking is not the most common type of attack, it has grown increasingly popular with determined criminals willing to invest the time and effort in these highly targeted schemes. By encouraging clients to follow the best practices above, MSPs can help reduce risk and save themselves and their customers costly recovery work in the future.

Chris Crellin is Senior Director of Product Management for Barracuda MSP, a provider of security and data protection solutions for managed services providers, where he is responsible for leading product strategy and management.