How can employees spot conversation hijacking attacks?

Another day, another type of phishing attack. Conversation hijacking attacks are the new kids on the phishing block, a threat type that just never seems to tire. While relatively rare, conversation hijacking attacks are on the rise – and alarmingly so. In fact, research by Barracuda Networks identified a whopping 400% increase in conversation hijacking between July and November 2019. Cyber criminals are using this attack style to swindle employees into transferring money or trick them into sharing private credentials, divulging insider information, or installing malware. Given that the stakes are so high, it's important for the workforce to be able to identify conversation hijacking attacks as they happen.

How do the attacks work?

Conversation hijacking attacks are similar to the email phishing attacks we have grown familiar with in that the target will receive a email poisoned with malicious intent. Conversation hijacking brings more sophistication to the table. In particular, it carries out its attack by infiltrating real employee email threads, often between employees that know and trust one another. Usually, the infiltration is made possible by credential theft. However, attackers aren't likely to use the compromised account to carry out the attack. This is because the account owner could well spot the malicious email in their outbox or sent folder. Instead, they will commonly impersonate the domain instead bar a couple of typos, which they hope the target will not notice. Then, the attacker can send an email of ill intent as one of the employees in the conversation. This is where the extra level of sophistication comes in; to make a malicious attachment or request for information appear credible, the attacker has to carefully tailor the message to make it seem relevant. Since the attacker has access to the entire email thread, they can engineer their message to make it sound like the person whose account they are in too. Since it looks so legitimate, the recipient could easily be none the wiser. In turn, the recipient may act on the malicious email request, thus rendering the attack successful.

What is the best way to mitigate the risk?

A recurring theme in cybersecurity is that businesses must educate their workforce. Indeed, cybersecurity is an enterprise-wide effort, and attackers will take advantage of less tech-savvy employees to exploit. However, in light of the latter, organisations must put its delivery carefully. In particular, it's important to make your employees aware of conversation hijacking, but not fearful of their own inbox. Instead, businesses should work on a culture shift that empowers employees with steps to consider. The workforce should be encouraged to validate all requests on a different communication platform. For example, if James in human resources emails Anna in marketing to ask for her bank details, Anna should call, instant message, or even pop in to see James to validate that request. At the same time, companies should discourage in-depth emailing on sensitive business information (such as deals, etc) so that if an account is compromised, the attacker can't take a lot away. Instead, organisations should put the bulk of their private matters in protected documents attached in the thread (and share the password elsewhere). Finally, of course, it doesn't hurt to ensure your staff are clued in on password best practices. Despite the technical nature of this threat, much of it can be mitigated simply through better habits.

Next, check out our Ask the Expert with Peter Ruffley at Zizo Software.