Hackers Get Personal with Phishing and Conversation Hijacking Attacks

March 22, 2018

CHAs undermine user awareness prevention measures and put the user--and, by extension, their entire organization--in a very precarious position.

By now, most of us know you should never click on links or attachments in unsolicited emails, as this is a common method for distributing malware infections. But what happens when the attackers undermine that security measure? When the attachment comes as an actual reply to a conversation you were just having with an associate at an organization you know and trust? This type of attack undermines user awareness prevention measures and puts the user–and, by extension, their entire organization–in a very precarious position.

That’s what makes the current trend of Conversation Hijacking Attacks–or CHAs–so disturbing and one that deserves some serious consideration.

What is a Conversation Hijacking Attack?

A CHA begins with the attackers sending a slew of emails that lead the end user to a well-crafted phishing page. From there, end users are instructed to select their email provider of choice. Once they do they are led to another page where their login credentials are gathered.

Now that the attackers have gathered credentials for thousands of email accounts, they launch attacks from those accounts by logging in and sending “replies” to prior conversations in that user’s inbox. These are mostly just a vague response to the last message of an ongoing thread with something like “please look this over” in the body and a malware attachment, which usually takes the form of a Word document with an embedded VBA macro.

Of course, even the most cautious and vigilant of users are far more likely to open an attachment delivered in this manner than one coming from an unknown source.

The attack chain ultimately leads to an end user–and potentially the end user’s network–being infected with some form of banking trojan. The majority of samples we’ve analyzed in these attacks have displayed Gozi banking trojan indicators, while some also have exhibited Emotet indicators (another banking trojan). While the payload may differ, one thing is clear: These attackers have financial and data theft in mind.

The Trend Continues …

We began seeing this type of attack really ramp up mid-year of 2017, and the attacks have certainly sustained into current day. Throughout this time we have seen the attackers alternate their efforts between gathering credentials with phishing emails and leveraging those compromised accounts with the malware delivery phase. Since the beginning of 2018 we have seen tens of thousands of malicious CHA message’s hitting AppRiver’s filter.

What to Do about It

Protecting your organization from such an attack can seem somewhat daunting, and some may not know where to start. As with many other cyber-threats today, it is best to remember that there is no single solution to protect yourself. Instead remember, that you will need to take a multi-layer security approach to fortify your defenses.

A Few Pointers to Get You Started

Implement additional security at the email level. This might include adding additional filtering or tightening down existing filters.
Consider banning macro-enabled documents inbound to your entire organization as they are very commonly used to deliver infections. If you need to receive them legitimately, then you can easily develop protocols for that.
Since this attack tends to trick some of the savviest users, you should educate your employees about these attacks.

Troy Gill, GPEN, is a Senior Security Analyst at AppRiver. Gill is primarily responsible for evaluating security controls and identifying potential risks. He provides advice, research support, project management services, and information security expertise to assist in designing security solutions for new and existing applications.