Cybercriminals frequently use email accounts from legitimate services like Gmail to carry out business email compromise (BEC) attacks, Help Net Security reports. Researchers at Barracuda revealed in their latest threat report that 6,170 accounts from legitimate services were used to launch more than 100,000 BEC attacks against 6,600 organizations. These attacks have made up 45% of all BEC attacks detected by Barracuda since April 1st.
Gmail was by far the most popular of the services abused in these attacks, making up 59% of the malicious accounts. Yahoo was a distant second at 6%.
Attackers use these accounts to impersonate real employees or business partners in order to manipulate an organization into transferring money or granting some kind of access to the attacker. Since the emails are coming from trusted domains, they’re more likely to pass through email security filters.
The researchers also found that cybercriminals often use the same accounts to attack multiple organizations. In one case, the same email address was used to attack 256 organizations. They also send an average of nineteen emails from each account.
Barracuda’s Vice President of Email Protection Michael Flouton concluded that organizations need to implement a combination of security technologies and employee training in order to achieve defense-in-depth.
“The fact that email services such as Gmail are free to set up, just about anyone can create a potentially malicious account for the purpose of a BEC attack,” Flouton said. “Securing oneself against this threat requires organizations to take protection matters into their own hands – this requires them to invest in sophisticated email security that leverages artificial intelligence to identify unusual senders and requests. However, no security software will ever be 100% effective, particularly when the sender appears to be using a perfectly legitimate email domain. Thus, employee training and education is essential, and workers should be made aware of how to manually spot, flag, and block any potentially malicious content.”
New-school security awareness training can give your organization an essential layer of defense by enabling your employees to recognize phishing tactics.
Help Net Security has the story.