Barracuda Researchers Say Hackers Know Their Targets, Getting Smarter

Hackers are designing their attacks for specific targets and striking at just the right time, according to Barracuda researchers.

In their latest report, Barracuda researchers identify 13 email threat types facing organizations today. They also outline ways cybercriminals are adapting quickly to current events and new tactics.

The 13 email threat types are: spam, malware, data exfiltration, scamming, URL phishing, spear phishing, domain impersonation, brand impersonation, extortion, business email compromise (BEC), conversation hijacking, lateral phishing and account takeover.

Among the report’s findings:

• BEC makes up 12% of the spear-phishing attacks analyzed, an increase from just 7% in 2019.
• Seventy-two percent of COVID-19-related attacks are scamming. In comparison, 36% of overall attacks are scamming. Attackers prefer to use COVID-19 in their less-targeted scamming attacks that focus on fake cures and donations.
• Thirteen percent of all spear-phishing attacks come from internally compromised accounts. So organizations need to invest in protecting their internal email traffic as much as they do in protecting from external senders.
• Seventy-one percent of spear-phishing attacks include malicious URLs. But only 30% of BEC attacks included a link. Hackers using BEC want to establish trust with their victim and expect a reply to their email. And the lack of a URL makes it harder to detect the attack.

BEC Attacks Succeeding

Don MacLennan is senior vice president of engineering and product at Barracuda. He said the increase in BEC attacks by itself might not be surprising, but it is telling.

Barracuda’s Don MacLennan

“These type of attacks are growing in popularity because they are successful,” he said. “Account takeover is a big issue for many organizations. When hackers get in, they use legitimate email accounts as a launch pad for their attacks — some sending a large volume of spam, others more sophistication targeted attacks.”

Hackers spend time researching organizations and their victims prior to BEC attacks, MacLennan said.

“Time and effort invested means that they often target very few individuals with a personalized message,” he said. “They use popular email services like Gmail to send out messages impersonating employees or vendors. These messages often have no malicious payload in a form of URL or attachment. There is nothing obviously malicious about the attacks that will trigger gateway filters and policies.”

The fact that many organizations have not set up domain-based message authentication, reporting and conformance (DMARC) enforcement allows hackers to spoof legitimate domains, MacLennan said. That makes it even harder for fraudulent email to be detected.

“If successful, these attacks can yield hundreds of thousands, if not millions, of dollars for hackers,” he said.

COVID-19 Related Attacks

Barracuda researchers still see COVID-19-related attacks, but the number has leveled off since the sharp increases last spring.

“Most of these attacks are scamming, which are spam-like messages, less targeted in their nature,” MacLennan said. “It does look like hackers’ interest has peaked when it comes to COVID-19, not surprising because they follow current events and the latest news. So businesses should be paying attention to any vaccine-related fraud right now.”

Every year, attacks become more targeted and sophisticated in nature, he said. And because of this, they are increasingly difficult to detect.

“Hackers go to great lengths by registering typo-squatted domains, compromising email accounts, carefully researching their victims’ business partners, etc.” MacLennan said. “Attacks are increasingly deceiving with one not like the other.”

MSSPs Can Help

User security training and phishing simulation campaigns are two ways in which MSSPs can provide a value-added service to their customers in terms of protecting against these attacks, MacLennan said.

“Some attacks do get through, especially BEC attacks,” he said. “When they do get through and are reported by users, businesses should act fast to remediate and remove malicious messages. MSSPs can use automated remediation tools to help business manage their inboxes, investigate and remediate any reported emails.”

Another example is using AI-based technology to protect against sophisticated attacks, McLennan said. Gateway defense is necessary, but not enough on its own.

“MSSPs can help their customers set up DMARC enforcement,” he said. “Many organizations are afraid of DMARC because it appears to be complex. However, it’s not if you have right tools, DMARC reporting and analysis. Providing managed services around DMARC enforcement and management could be a great additional revenue stream for MSSPs. Further, they should consider introducing customers to multifactor authentication (MFA), which is the first step in protecting accounts from compromise.”