Researchers from Barracuda and UC Berkeley, conducting a large-scale analysis of email account takeover and the timeline of attacks, recently highlighted the behaviors hackers are using to try to avoid detection, ways to identify suspicious activity that could indicate an email account has been compromised, and precautions you can take to protect your business.
Among the key findings:
- Attacks are spread out over a period of time; they don’t always happen as soon as the account is compromised
- Attackers are getting smarter about geography; they send phishing emails and perform other actions from IPs tied to similar regions and countries of the hacked account
- IP addresses and ISPs provide important clues; attackers tend to use anonymous IPs belonging to ISPs that are different from the hacked account’s provider
Here’s a closer look at account takeover, including a detailed timeline analysis and what it reveals about the evolving tactics of cybercriminals, as well as best practices and solutions to help detect and block attacks.
Highlighted Threat
Email Account Takeover – Cybercriminals use brand impersonation, social engineering, and phishing to steal login credentials and access an email account. Once the account is compromised, hackers monitor and track activity to learn how the company does business, the email signatures they use, and the way financial transactions are handled, so they can launch subsequent phishing attacks, including harvesting financial information and additional login credentials for other accounts.
The Details
Hackers execute account-takeover attacks using a variety of methods. In some cases, hackers leverage usernames and passwords acquired in previous data breaches. Due to the fact that people often use the same password for different accounts, hackers are able to successfully reuse the stolen credentials and gain access to additional accounts. Hackers also use stolen passwords for personal emails and use access to that account to try to get access to business email. Brute-force attacks are also used to successfully take over accounts because people use very simple passwords that are easy to guess, and they don’t change them often enough. Attacks also come via web and business applications, including SMS.
To provide a detailed timeline analysis of an account-takeover attack, researchers used a combination of Barracudas’ artificial intelligence (AI) detectors to compile a list of users whose accounts were compromised in August 2019. Researchers chose one compromised account, referred to as User X, and analyzed the Microsoft Azure login properties and email activity around the time of the first sign of potential compromise. In addition to the data from Barracuda’s detectors, researchers had access to the raw emails, including the subject line, body content and originating IP address, as well as the Microsoft applications that had been used, including the IP address, time of login and operations performed.
This timeline looks at suspicious activity on User X’s account during the three weeks around the first flagged detection, evaluating three characteristics of each event: the date and UTC time, the state and country where activity originated, based on geolocation of the IP address, and the operation performed.
The Attack Timeline
Date and Time Location Operation
2019-07-25T22:25:44 Indonesia User Logged In
2019-08-07T05:56:45 AZ, US User Logged In
2019-08-07T05:56:46 AZ, US Email Sent
2019-08-07T12:43:07 AZ, US User Logged In
2019-08-07T12:43:07 AZ, US User Logged In
2019-08-07T12:43:08 AZ, US Email Sent
2019-08-09T19:46:35 AZ, US User Logged In
2019-08-09T19:46:36 AZ, US Email Sent
2019-08-09T21:26:24 NY, US User Logged In
2019-08-09T21:26:25 NY, US Email Sent
2019-08-09T22:51:00 AZ, US User Logged In
2019-08-09T22:51:01 AZ, US Email Sent
2019-08-09T22:51:02 AZ, US Email Sent
2019-08-09T22:51:03 AZ, US Email Sent
2019-08-09T22:51:52 AZ, US Email Sent
2019-08-09T22:51:57 AZ, US Email Sent
2019-08-09T22:51:57 AZ, US Email Sent
2019-08-09T22:51:58 AZ, US Email Sent
2019-08-09T22:51:58 AZ, US Email Sent
2019-08-09T22:55:03 Brazil User Logged In
2019-08-09T22:55:19 Finland User Logged In
2019-08-09T22:56:13 China User Logged In
2019-08-09T22:56:23 Lithuania User Logged In
2019-08-09T22:56:53 China User Logged In
2019-08-09T22:56:56 VA, US User Logged In
2019-08-09T22:56:56 VA, US Email Sent
2019-08-09T22:56:57 VA, US Email Sent
2019-08-09T22:56:58 VA, US Email Sent
2019-08-09T22:57:23 VA, US Email Sent
2019-08-09T22:57:23 VA, US Email Sent
2019-08-09T22:57:24 VA, US Email Sent
2019-08-09T22:57:24 VA, US Email Sent
Pinpointing Attacker Behavior
Comparing the characteristics activity before the first flagged detection with activity in the weeks following that detection, researchers uncovered several indicators of attacker behavior, such as logins from IPs belonging to different cities and states than the typical city and state the user logs in from. User X typically logins from two cities in Texas, but the account was being used from Indonesia and various places in the United States, including Arizona, New York and Virginia.
To confirm this as an indicator of attacker logins, researchers analyzed emails sent from User X during the three-week period starting from the initial detection and noticed that emails with subjects that resembled phishing were sent from IPs outside the typical locations User X logged in from. In addition, login events and email activity that were likely tied to an attacker almost always originated from anonymous IP and hosting services, such as GoDaddy.com and Google Cloud.
Using these indicators helped researchers in generalizing the identification of attacker behavior patterns.
Key Findings
Timing can be spread out
The bulk of this attack on User X happened within a time range of two days, but there was a 12-day gap between the initial login from Indonesia and further suspicious activity.
One potential hypothesis about the long gap is that the attacker is trying to perform a reconnaissance attack by spending time gathering information from within User X’s Microsoft Outlook contact list. Another possibility is that one attacker compromised User X’s account and then sold the credentials to another attacker, leading to a gap in suspicious behavior.
That first login is an unanswered question in terms of the potential purpose. Regardless of whether the attacker was doing reconnaissance or selling the credentials to another attacker, identifying the account takeover as soon as possible and remediating quickly can help avoid further damage.
Attackers are getting smarter about geography
Twelve days after the initial login from Indonesia, on August 7, there’s a string of three different sets of logins and emails being sent from different anonymous IPs originating from Scottsdale, Arizona, and somewhere in New York. In each instance, only one email is sent, which could be a sign of an attacker sending a single test email in preparation for a possible larger attack.
Two days later, on August 9, there’s a long set of around 50 phishing emails sent from Scottsdale, Arizona. (Note: Most of the 50 email events have been removed from the timeline for conciseness.) Then, there’s a string of foreign logins to the mail server of User X’s account, but no emails were sent. Finally, there’s a string of phishing emails sent from an IP tied to somewhere in Virginia.
The fact that most of the phishing emails were sent from IPs located in the United States may indicate that attackers try to evade detection by performing the bulk of their actions from IPs tied to similar regions/countries as the true user. This approach will make activity appear less anomalous than activity coming from foreign regions. As a result, without looking more closely at the emails that were sent from other locations in the United States, it would have been difficult to pinpoint whether login activity from these locations was attributable to attackers.
IP address and ISP are important clues
Attackers tend to use anonymous IPs belonging to ISPs different from the true user’s typical ISP provider. There was also a 1-1 correspondence between the originating IP address from emails sent from User X’s account and the IP address used during login to Microsoft Outlook. This helped link login events and email activity to potential attackers.
Protecting against email account takeover
Monitor account access and inbox rules
Get granular with your monitoring. Use technology to identify suspicious activity, including logins at unusual times of the day or from unusual locations and IP addresses, potential signs of a compromised account. Track IPs that exhibit other suspicious behaviors, including failed logins and access from suspicious devices.
Be sure to also monitor email accounts for malicious inbox rules, as they are often used as part of account takeover. Criminals log into the account, create forwarding rules and hide or delete any email they send from the account, to try to cover their tracks. Train staffers to recognize and report attacks Educate users about spear-phishing attacks by making it a part of security-awareness training. Ensure staffers can recognize attacks designed to steal login credentials and that they know how to report attacks. Use phishing simulation for emails, voicemail, and SMS to train users to identify cyberattacks, test the effectiveness of your training, and evaluate the users most vulnerable to attacks. Help employees avoid making costly mistakes by creating guidelines that put procedures in place to confirm requests that come in by email, including making wire transfers and buying gift cards.
Use multi-factor authentication Multi-factor authentication, also called MFA, two-factor authentication, and two-step verification, provides an additional layer of security above and beyond username and password, such as an authentication code, thumb print or retinal scan. Take advantage of artificial intelligence Scammers are adapting email tactics to bypass gateways and spam filters, so it’s critical to have a solution in place that detects and protects against spear-phishing attacks, including business email compromise and email account takeover. Deploy purpose-built technology that doesn’t rely solely on looking for malicious links or attachments. Using machine learning to analyze normal communication patterns within your organization allows the solution to spot anomalies that may indicate an attack. Deploy account-takeover protection Some of the most devastating and successful spear-phishing attacks originate from compromised accounts. Be sure scammers aren’t using your organization as a base camp to launch these attacks. Deploy technology that uses artificial intelligence to recognize when accounts have been compromised and that remediates in real time by alerting users and removing malicious emails sent from compromised accounts.