A new report published by Barracuda Networks warns the number of account takeover (ATO) incidents involving compromised email credentials is starting to rise.
A study of 50 randomly selected organizations occurring over a three-month period finds that in each month, four to eight organizations reported at least one ATO incident. A total of 60 ATO incidents were reported. On average, each incident resulted in at least three separate account takeover incidents, in which either the same or different employees’ accounts were employed for nefarious purposes.
Asaf Cidon, vice president of email security for Barracuda Networks, said cybercriminals are attempting to hijack email accounts for a variety of reasons. Attacks are being launched, he said, to bypass phishing detection tools, sell credentials on the black market and discover other credentials in an organization that can be compromised using data discovered in, for example, an email system.
Out of the 60 incidents analyzed by Barracuda Networks, 78 percent resulted in phishing emails to compromise additional internal and external accounts. The email usually impersonates the employee and asks the recipient to click on a link. The attackers sometimes made the email appear as if the employee is sending an invitation to a link from popular web services, such as OneDrive or DocuSign. Another 17 percent of incidents involved spam campaigns. Only 5 percent of incidents involved asking an email recipient to download an attachment.
Cidon said this data suggests ATO attacks will become a significantly larger problem in the years ahead. Cybercriminals are becoming more adept at employing a variety of means to capture credentials, which can enable them to steal data for sometimes months at a time. The only real countermeasure is to make use of artificial intelligence (AI) to analyze whether emails that originate from within the organization are phishing attacks.
Cidon also recommends organizations invest more time and effort in training employees to recognize phishing attacks that might originate from both outside and inside the organization. To make it easier to achieve that goal, Barracuda Networks has launched Barracuda Total Email Protection, which combines its core email security software with an AI-based cloud service for analyzing emails and a phishing simulation platform delivered as a software-as-a-service (SaaS) application.
When it comes to phishing simulation, Cidon noted it’s important to employ gamification techniques that drive positive reinforcement versus merely punishing employees for failing to recognize a phishing attempt.
It’s too early to say what impact a spike in compromised email credentials might have. Today a large number of business processes are wrapped around email. At the same time, many organizations have been embracing platforms such as Slack to reduce their dependencies on email. Alas, those systems also rely on passwords that can be compromised.
Of course, there are multiple initiatives underway to eliminate the need for passwords, including two-factor authentication and biometrics. But existing applications that rely on passwords to verify identity are not going away anytime soon. It would take a decade or more to retire all the legacy applications in place that employ passwords. That would suggest that most organizations would be well-advised to invest in some password manager software at the very least.