University of California Berkeley, University of San Diego, and Barracuda Networks conducted a recent study, which showed the increasing threat of lateral phishing to healthcare organizations.
In a typical phishing attack, the attacker sends an email with an embedded hyperlink going to a malicious web page that harvests login credentials . The emails include a bait to get a click from the recipients. That bait is usually customized to the company being attacked. It is rather easity to recognize these phishing emails and block since an attacker from outside the organization sends the emails.
The second stage of the phishing attack is called lateral phishing. Once the attacker got access to an email account, he/she sends phishing emails to other company employees and/or companies and people listed in the contacts of the email account.
This strategy is quite effective. Even when employees look out for emails sent from unknown senders, when they receive an email from someone within the organization that normally corresponds with them through email, it is very likely that they will take action on that email request.
Lateral phishing is one type of email account takeover attaacks, of which Business Email Compromise (BEC) is a common example. With BEC, the purpose of the attacker is to gain the CEO’s credentials. The attacker then uses the account to request falsified wire transfers. Lateral phishing is mainly involves credential theft and not financial fraud. The intention is to access the most number of accounts possible inside an organization.
The researchers of the study examined phishing and lateral phishing attacks in 100 companies and determined the techniques being utilized, the complexity of the attacks, and which strategies were the most effective.
1 in 7 of the companies examined had encountered a lateral phishing attack and there were 180 lateral phishing attacks identified. 11% of the attacks had more employee email accounts within the company compromised. The researchers observed that in 42% of incidents, the IT department or security group did not get any report about the lateral phishing emails, which may indicate that an account breach is still undiscovered and the attacker may still be using the compromised email.
The target of 55% of the attacks are individuals who have a private or work relationship with the organization and nearly all emails were routed during normal working time.
The attackers adopted four primary strategies when attacking. 45% of attacks send generic phishing messages with baits like “account problem” and “shared report.” 63% of all lateral phishing emails included very common messages. 30% send refined emails and 7% send very targeted emails.
In 29% of attacks, the attackers use the email account to send out customized messages to close and latest contacts. 25% of attacks concerned sending emails to a few to hundreds of workers. Just 1% of attacks involved business associates of the company.
In 31% of incidents|events, the phishers make use of stealth techniques to put realism in their activities and avert detection. It is typical to remove email messages from the sent folder in the accessed account to make sure that the account owner cannot detect them. The researchers discovered the deletion of emails even from the recipient’s email account. This strategy was employed in 19.5% of hijacked email accounts. In 17.5% of instances, the attackers replied to the message of the phishing email recipient to make the request appear genuine.
Protecting against these attacks calls for a three-pronged strategy:
- Employee training on security awareness particularly the threat of phishing from inside the organization.
- Two-factor authentication so that even if credentials are compromised, the attackers cannot remotely access an email account.
- Investing in innovative detection strategies and solutions that could identify and remove phishing emails before reaching the user’s inbox.