New data from Barracuda shows attackers take their time to leverage the credential compromise and to avoid detection when taking over email accounts.
Waiting is a tactic that often gives an attacker the upper hand. Ransomware attacks are more likely get to get a ransom because backups are compromised with malware installed months prior, and data breaches go undetected for months, allowing attackers to slowly (but surely) take you for everything they’re after.
But new data from security vendor Barracuda shows attackers that are involved in email account takeover have a few common traits that are relatively unexpected and, in some ways, novel:
- Attacks don’t occur all at once. Instead, after an account is compromised, the leveraging of that email account is spread out over a period of time
- Attackers want to look local. Phishing attacks via compromised accounts are performed from IP addresses from locations similar to that of the hacked account
- Attackers anonymize their access. It appears that attackers don’t want to leave clues in the form of IP addresses. Instead, they anonymize IPs that belong to ISPs other than the one used by the hacked account
These findings demonstrate that attackers aren’t just executing an automated attack. Instead, they appear to be really thinking about their actions and the repercussions that may impact their continued ability to launch attacks.
Email Account Takeover attacks plague 1 in 7 organizations, usually via phishing as the attack vector. Organizations wanting to stop this attack in its tracks look to Security Awareness Training to teach users about these kinds of attacks to prepare them for the day they find themselves staring at what appears to be a valid email, but something’s just not right. Their lack of interaction is the key to stopping these phishing attacks and solid cybersecurity education is the key.