Lateral Phishing Is on the Rise–Are Your Customers Protected?
Account takeover attacks (ATO) involving cyber criminals stealing email credentials continue to grow. And, attackers are developing new techniques to help skirt traditional spam and malware filters. One such approach is lateral phishing, and recent research from Barracuda Networks indicates that the threat is increasing.
In a lateral phishing scheme, attackers use compromised email accounts to send phishing emails to the victim’s close contacts or other potential targets in the organization or business.
Like other ATO attacks, lateral phishing leverages the use of a real email address; the fact that the email is coming from a trusted domain and sender causes the attack to spread. Recently, Barracuda teamed up with UC Berkeley and UC San Diego to discover this new and growing type of account takeover attack.
As part of this study, the researchers looked a recent attack on a higher education institution. During the attack, a student clicked on a fake security incident email. This allowed the attackers to determine the student’s email and password, providing access to the student’s Office 365 Outlook account. The attackers sent hundreds of internal phishing emails to other students, faculty and staff, which resulted in the theft of passwords of dozens of different accounts. The attackers used those accounts to send phishing campaigns to thousands of recipients in external organizations, including banks, healthcare companies and government institutions.
Because the email came from the school’s domain, it was viewed as trusted by the third-party email providers. According to researchers, it was also because of this that e-mail was not flagged as spam or phishing, and it was presumed that this led to even more compromised accounts.
An Expanding Phishing Threat
As part of its study with UC Berkeley and UC San Diego, Barracuda also found that one in seven organizations has experienced a lateral phishing attack during the past seven months. Of those, more than 60% had multiple compromised accounts. Others had dozens of compromised accounts that sent additional lateral phishing attacks to other employees and other businesses. According to the Barracuda report, “Researchers identified 154 hijacked accounts that sent hundreds of lateral phishing emails to more than 100,000 unique recipients.”
A particularly alarming aspect of lateral phishing is the scale of potential victims. While roughly 40% of the 100,000 recipients