Beware: Attackers find new methods to avoid detection when compromising email accounts

Researchers from Barracuda and UC Berkeley, conducting a large-scale analysis of email account takeover and the timeline of attacks, recently highlighted the behaviours hackers are employing to try to avoid detection, ways to identify suspicious activity that could indicate a contact account has been compromised, and precautions you may take to protect your business.

Email Account Takeover - Cybercriminals use brand impersonation, social engineering, and phishing to steal login credentials and access a contact account. After the account is compromised, hackers monitor and track activity to learn how the company does business, the email signatures they use, and just how financial transactions are handled, to allow them to launch subsequent phishing attacks, including harvesting financial information and additional login credentials for other accounts. 

Hackers execute account-takeover attacks utilizing a variety of methods. Occasionally, hackers leverage usernames and passwords acquired in previous data breaches. Because of the fact that people often use the same password for different accounts, hackers will be able to successfully reuse the stolen credentials and access additional accounts. Hackers also use stolen passwords for personal emails and use access to that account to get usage of business email. Brute-force attacks are also used to successfully take over accounts because persons use very easy passwords that are easy to guess, plus they don’t change them often enough. Attacks also come via web and business applications, including SMS.

To provide an in depth timeline analysis of an account-takeover attack, researchers used a combination of Barracudas’ artificial intelligence (AI) detectors to compile a list of users whose accounts were compromised in August 2019. Researchers chose one compromised account, referred to as User X, and analysed the Microsoft Azure login properties and email activity around the time of the first sign of potential compromise. As well as the data from Barracuda’s detectors, researchers had usage of the raw emails, including the subject line, body content and originating Ip, as well as the Microsoft applications that had been used, including the Ip, time of login and functions performed.

This timeline looks at suspicious activity on User X’s account during the three weeks around the first flagged detection, evaluating three characteristics of each event: the date and UTC time, the state and country where in fact the activity originated, predicated on the geolocation of the Ip, and the procedure performed.

Pinpointing Attacker Behaviour

Comparing the characteristics activity prior to the first flagged detection with activity in the weeks following that detection, researchers uncovered several indicators of attacker behaviour, such as for example logins from IPs owned by different cities and states compared to the typical city and state an individual logs in from. User X typically logins from two cities in Texas, but the account had been used from Indonesia and various places in the United States, including Arizona, NY and Virginia. 

To confirm this as an indicator of attacker logins, researchers analysed emails sent from User X through the three-week period starting from the initial detection and noticed that emails with subjects that resembled phishing were sent from IPs beyond your typical spots User X logged in from. Furthermore, login events and email activity which were likely tied to an attacker more often than not comes from anonymous IP and hosting services, such as for example GoDaddy.com and Google Cloud. 

Using these indicators helped researchers in generalizing the identification of attacker behaviour patterns.

Key Findings

Timing can be spread out

The bulk of this attack on User X happened within a period selection of two days, but there was a 12-day gap between your initial login from Indonesia and further suspicious activity.

One potential hypothesis about the long gap is that the attacker is wanting to perform a reconnaissance attack by spending time gathering information from within User X’s Microsoft Outlook contact list. Another likelihood is that one attacker compromised User X’s account and sold the credentials to some other attacker, resulting in a gap in suspicious behaviour. 

That first login can be an unanswered question when it comes to the potential purpose. Regardless of whether the attacker was doing reconnaissance or selling the credentials to another attacker, identifying the account takeover as soon as possible and remediating quickly can help avoid further damage.

Twelve days after the initial login from Indonesia, on August 7, there’s a string of three different sets of logins and emails being sent from different anonymous IPs from Scottsdale, Arizona, and somewhere in NY. In each instance, only 1 email is sent, which could be considered a sign of an attacker sending a single test email in preparation for a possible larger attack. 

Two days later, on August 9, there’s a long group of around 50 phishing emails sent from Scottsdale, Arizona. (Note: A lot of the 50 email events have already been taken off the timeline for conciseness.) Then, there’s a string of foreign logins to the mail server of User X’s account, but no emails were sent. Finally, there’s a string of phishing emails sent from an IP linked with somewhere in Virginia.

The fact that almost all of the phishing emails were sent from IPs positioned in america may indicate that attackers try to evade detection by performing the bulk of their actions from IPs linked with similar regions/countries as the real user. This approach can make activity appear less anomalous than activity via foreign regions. As a result, without looking more closely at the emails that were sent from other places in america, it would have already been difficult to pinpoint whether login activity from these spots was due to attackers. 

Attackers have a tendency to use anonymous IPs belonging to ISPs different from the true user’s typical ISP provider. There was also a 1-1 correspondence between the originating Ip from emails sent from User X’s account and the IP address used during login to Microsoft Outlook. This helped link login events and email activity to potential attackers.

Get granular with your monitoring. Use technology to recognize suspicious activity, including logins at unusual times of the day or from unusual places and IP addresses, potential signs of a compromised account. Track IPs that exhibit other suspicious behaviours, including failed logins and access from suspicious devices.

Make sure to also monitor email makes up about malicious inbox rules, as they are often used within account takeover. Criminals log in to the account, create forwarding rules and hide or delete any email they send from the account, to attempt to cover their tracks.

Educate users about spear-phishing attacks by so that it is part of security-awareness training. Ensure staffers can recognize attacks made to steal login credentials and that they learn how to report attacks. Use phishing simulation for emails, voicemail, and SMS to train users to recognize cyberattacks, test the potency of your training, and evaluate the users most susceptible to attacks. Help employees avoid making costly mistakes by creating guidelines that put procedures in location to confirm requests that come in by email, including making wire transfers and purchasing gift cards.

Multi-factor authentication, also known as MFA, two-factor authentication, and two-step verification, has an additional layer of security far beyond username and password, such as for example an authentication code, thumb print or retinal scan.

Scammers are adapting email tactics to bypass gateways and spam filters, so it’s critical to have a solution set up that detects and protects against spear-phishing attacks, including business email compromise and email account takeover. Deploy purpose-built technology it doesn't rely solely on looking for malicious links or attachments. Using machine understanding how to analyze normal communication patterns inside your organization allows the solution to spot anomalies that may indicate an attack.

Some of the most devastating and successful spear-phishing attacks result from compromised accounts. Be certain scammers aren’t using your organization as a base camp to launch these attacks. Deploy technology that uses artificial intelligence to identify when accounts have already been compromised and that remediates in real-time by alerting users and removing malicious emails sent from compromised accounts.