Barracuda Networks Report Shows Spike in Bait Attacks
A report published by Barracuda Networks this week finds 35% of 10,500 organizations analyzed were targeted by at least one bait attack in September 2021, with an average of three distinct mailboxes per company receiving one of these messages.
Bait attacks, also known as reconnaissance attacks, are attempts to gather information that can be used to plan future targeted phishing attacks. These attacks usually manifest themselves in the form of emails that have very short or even empty content. The goal is to either verify the existence of the victim’s email account—by not receiving “undeliverable” messages—or to get the victim involved in a conversation that might lead to leaked credentials or even a money transfer.
Mike Flouton, vice president of product management for Barracuda Networks, said these types of attacks are difficult for email gateways and legacy anti-phishing tools to identify because they barely include any text and usually don’t include obviously malicious links.
Attacks will also typically use fresh email accounts from free services, such as Gmail, Yahoo or Hotmail, to send messages from accounts that have not been yet identified as a source of phishing attacks, noted Flouton. Essentially, attackers are relying on low-volume sending behavior to get past any bulk or anomaly-based detectors, he added.
Flouton said the only way to effectively thwart these attacks is to rely on detectors that make use of machine learning algorithms and other forms of artificial intelligence (AI) (such as computer vision) to examine messages and make correlations across multiple sources such as communication graphs and reputation systems.
In addition, there should also be automated processes in place to remove these emails from inboxes before they are opened, he added.
Finally, organizations should also train end users to recognize bait attacks as part of any anti-phishing training program, said Flouton.
Defending against attacks that are launched by humans is always going to be more difficult than thwarting attacks launched by machines that typically have an easily identifiable signature. Many malicious actors are well-versed in how to exploit the trusting nature of individuals. Arguably, these types of attacks are just another instance of a con game that criminals have been employing since the invention of the telegraph. It’s just easier to target victims at scale using email instead of, for example, using the phone to convince someone to electronically transfer funds. In fact, with the rise of deep fakes, it may become even easier for cybercriminals to perpetrate these scams by sending videos that appear to be a message from a well-known CEO or celebrity. In effect, cybersecurity teams are once again engaged in a technology arms race with cybercriminals who have nearly unlimited financial resources.
On the plus side, however, as cloud computing resources continue to become less expensive to employ, the tools cybersecurity teams can access are becoming infused with AI capabilities that can identify a wide range of threats at an unprecedented level of scale. Those capabilities don’t eliminate the need for cybersecurity professionals as much as they simply level a playing field that, today, is decidedly tilted in favor of the cybercriminal.
