By now phishing attacks, in which an attacker impersonates trusted organisation to obtain sensitive information, are familiar to many internet users. However, what if the attack came from a trusted boss, colleague or friend? What if they engaged in a dialogue and were able to recall details of previous email exchanges? In this case, it becomes far harder for an attacker to be spotted.
This type of attack is known as an account takeover, and is on the rise. Similar to phishing, attackers gain access to accounts by tricking users into sharing their username and password. Once in, attackers posing as legitimate users already have the trust of those within the users’ network, and may slip through security systems without raising the same red flags as some other types of attack – that is, until it’s too late.
From here, they are able to access sensitive information and target other users within the organisation, with 78% of account takeovers led to phishing attacks, according to Barracuda Networks.
According to a survey by Javelin, in 2017, account takeover attacks led to over $5.1bn in losses, making them a serious area of concern for organisations.
Verdict spoke to Hatem Naguib, COO of IT security company Barracuda Networks, who has almost 30 years’ experience in the IT industry, on how to stop this type of attack in its tracks, and the tools needed to combat future threats.
Ellen Daniel: How has Barracuda Networks moved into the area of account takeover protection?
Hatem Naguib: “We started off by identifying spear phishing attacks, which were very specific to social engineering. So people would be using email and be communicating with each other… scooping somebody like the CFO or the CEO, I could immediately gain access to credentials, financial information or IP.
“So we built a solution called Sentinel, which goes through a customer’s environment, in their inbox specifically, and is able to create a set of patterns around what types of emails are normally sent by who, when do they talk about money, the time of the day, the tone, dozens of characteristics that would all be alerted back to a machine learning model that should determine and predict this is a spear phishing attack.
“As we’ve been getting this corpus of data around what we’re seeing, we recognised that we can also identify account takeovers. The same way I can tell when an email comes from the outside, that it’s not really the CEO, I can also tell when your inbox start exhibiting behaviour that’s not you.”
ED: What are the characteristics of an account takeover attack?
HN: “What tends to happen in account takeovers is that the attacker will basically assume the identity of the person so it will be you in the environment, no one will be able to tell at all that it’s not you because I’ve gotten the Office 365 credentials. And I’ll start slowly sending out emails so that I can get better confidence and trust. I usually go to high-value targets who immediately recognise it’s me sending the email, and then through that I’ll be able to gain access to whatever I want, potentially financial information.
“We’re able to identify it and stop it and then create a mechanism by which we can clean up from those attacks. There were interesting characteristics we were finding in the account takeover attacks. They seem to fall into two macro categories. One is the more manual, I would say more individually driven. And the other is a more brute force-type attack.”
ED: Where are these attacks coming from?
HN: “The more manual types of attacks seem to be coming from Nigeria, India, and Malaysia. And the more automated brute force-type of attacks seem to be coming from China, Russia and Brazil.
“Not that I have the data, but [manual attacks] seem to be more individually driven, while these [automated attacks] seem to be more a group of people, basically performing this and then being able to send out a million emails and if I just get the one I’ve got what I need.”
ED: What are the motivations behind account takeovers?
HN: “It’s usually money. But now when you see more nation state type of involvement, obviously then I can gain access to intellectual property. And gaining access to intellectual property I think really does motivate a lot of capabilities around corporate companies and competition.
“Then the third category I would say is, I think, more nefarious intentions around social engineering. If I could fake Twitter accounts, and I could fake Facebook accounts, and then I can create content around those fake accounts, as we saw in the recent elections, that can actually change outcomes at a much more macro level. And account takeovers are perfect for that.”
ED: What are some signs that people should look out for their account might have been a victim of this?
HN: “Typically the machine learning model will look for a large number of emails being sent out simultaneously…Is the email coming from outside of where it normally would come from? You were in San Francisco two weeks ago, it’d be okay for that access to be coming from there. You weren’t in China or India or Nigeria. That could be an indication.
“A lot of customers don’t have the sophisticated tools to determine where things are coming from, to be able to identify whether that identity is a challenge. And then the pattern of email becomes, I think, the most obvious thing. But people don’t pick that up relatively quickly.
“You don’t typically send emails to accounting, asking what’s the cutoff time for purchase orders; that’s not what you would typically do. So you would be able to pick up that that’s a pattern where this person is now talking about money. They don’t typically do that. We should stop those emails and identify this as an account takeover.”
ED: How do you balance ease of use for genuine users and ensuring that the attackers are getting in?
HN: “It’s a perpetual challenge…As frustrating as it is for somebody to have a false positive, which means that you meant that email to go, and you’re surprised that the system gets caught. There’s also the concern of why did this one get through? We always get the call from the customer saying, ‘well, this one got through, couldn’t you have caught this?’ And I’m always saying ‘we can turn this thing on full, and then nothing gets through, because everything will start looking like a spear phishing attack’. So you’ve always got to kind of create that key balance.”
ED: Once an account takeover has occurred, what is the process for resolving it?
HN: “Our job is really to do two things. One, identify the account and notify the individuals. We’ve also focused a lot of our attention on preventing it from happening in the first place. So if an account takeover has occurred, we will lock that account and we make sure that doesn’t continue.
“And then we’ve added new solutions in place called forensics and incident response, which will automate the cleanup of all of the inboxes in your environment, based upon the fact that an attack has occurred. Because one of the biggest challenges for an administrator, is that once it gets in and it starts spewing other emails in the environment, you’ve got hundreds of emails sitting in people’s inboxes, some open some not open that then catalyse to being the next level of the attack. And they’ll spend weeks writing scripts to find these things and pull them out. So we’ve automated the cleanup of that.
“And then the fourth level is we’ve invested in user awareness training. So we have security training products that we sell to our customers which help educate and find the 4% of employees who will always click on that link.”
ED: Looking to the future, how do you think that attackers capabilities are going to improve? And then in turn, what does the response need to be?
HN: “It’s obvious that as we become more digital and the world around us becomes more digital, everything I need to know about you I could probably get on some level of social media. So even though I could spoof your email, it’s not far-fetched that I could spoof you or your voice. I could get videos of you making conversations and then I could create more and more types of simulations that allow me to leverage you as an individual identity to gain access to what I need to do.
“We’ve already started seeing CEOs getting spoofed, or executives getting spoofed in that way. I think there’s also the fact that everything becomes connected. So it’s just a lot easier to weaponise individual pieces of luggage or internet of things components. So I think that becomes another aspect and many of those attacks are relatively simple and are meant to create distractions for the more target rich environments.
“Ultimately, as we use AI and machine learning to protect ourselves from a security perspective, you will see more and more of that becoming part of the arsenal that attackers can use.”