In conversation-hijacking attacks, hackers infiltrate real business email threads by exploiting previously compromised credentials –perhaps purchased on dark web forums, stolen or accessed via brute force attacks – before inserting themselves into the conversation in the guise of one of the group.
"Once they gain access to the account, attackers will spend time reading through conversations, researching their victims and looking for any deals or valuable conversations they can insert themselves," Olesia Klevchuk, senior product manager for email security at Barracuda Networks, said.
The idea is that by using a real identity and by mimicking the language that a person uses, the phishing attack will be viewed as coming from a trusted colleague and is thus much more likely to be successful.
Cybercriminals are leaning hard on this attack technique as a means of compromising businesses, according to new research from Barracuda Networks. Analysis of 500,000 emails showed that conversation hijacking rose by over 400% between July and November last year.
While conversation-hijacking attacks are still relatively rare, the personal nature means they're difficult to detect, are effective, and potentially very costly to organizations that fall victim to campaigns.
For cybercriminals conducting conversation-hijacking attacks, the effort involved is much greater than merely spamming out phishing emails in the hope that a target clicks, but a successful attack can potentially be highly rewarding.
In most cases, the attackers won't directly use the compromised account to send the malicious phishing message – because the user could notice that their outbox contains an email that they didn't send.
However, what conversation hijackers do instead is attempt to impersonate domains, using techniques like typo-squatting – when a URL is the same as the target company, save for one or two slightly altered changes.
But by using a real name and a real email thread, the attackers are hoping that the intended target won't notice the domain is slightly different and that they'll follow the request that's coming from their supposed contact, perhaps a colleague, customer, partner or vendor.
In some cases, it's been known for conversation hijackers to communicate with their intended victims for weeks to ensure that trust is built up.
At some point, the attacker will make their move and try to trick the victim into transferring money, sensitive information, or potentially installing malware.
"These attacks are highly personalized, including the content, and therefore a lot more effective. They have the potential of a huge payout, especially when organizations are preparing to make a large payment, purchase, or an acquisition," said Klevchuk.
"There is a great chance that someone will fall for a conversation-hijacking attack over a more traditional type of phishing," she added.
However, while conversation-hijacking attacks are more sophisticated than regular phishing attacks, they're not impossible to spot. Users should pay attention to the email address a message is coming from and be suspicious if the domain is slightly different compared to what they're used to seeing.
Users should also be wary of sudden demands for payments or transfers and, if there's doubt about the origin of the request, they should contact the person requesting it, either in person, by phone, or by starting a new email to their known address.
Organizations can also protect their employees from these attacks by implementing two-factor authentication, because by adding this extra layer, even if login credentials are stolen, attackers can't use them to conduct further attacks.