Attackers are successfully stealing the credentials of employees and using them in account takeover (ATO) incidents more frequently, which makes business email compromise (BEC) one of the most prevalent types of cyber fraud, according to Barracuda Networks.
The latest Threat Spotlight, looked at the motives behind ATOs and found that while hackers have myriad objectives, many will commonly use ATOs to launch phishing campaigns.
“Some attackers try to use the hacked email account to launch phishing campaigns that will go undetected, some attackers steal credentials of other employees and sell them in the black market, and others use the account to conduct reconnaissance to launch personalized attacks,” researchers wrote.
“The most sophisticated attackers steal the credentials of a key employee (e.g., CEO or CFO), and use them to launch a business email compromise (BEC) attack from the real employee's email address.”
From April to June 2018, 60 incidents occurred among the 50 randomly selected organizations. Of the 50 organizations, four to eight reported having at least one account takeover incident. The result for those companies that were compromised was that accounts were used for nefarious purposes.
A large majority (78%) of the total incidents resulted in a phishing email where the attacker usually impersonated the employee and requested that the recipients click on malicious links or open infected attachments.
Analysis of the incidents revealed that 17% were platforms for spam campaigns that appeared to come from reputable domains, while 5% of incidents involved internal email traffic in which the attacker asked the recipient to download an attachment.
Over the course of the three-month study, 50 different email accounts were compromised. Through examining the roles of the compromised employees, some of whom were compromised multiple times, researchers found that the total number of compromised employees was 60, with 6% of those identified as executives and 22% reportedly in sensitive departments.
Barracuda recommends that any request involving money made via email, particularly something like a wire transfer request coming from the CEO, not be honored without first having an in-person conversation or, at the very least, a phone call where the sender's identity has been verified.