What Can Be Done About The Increasing Authenticity Of Hacked Email Reply Chains?

By   Kelvin Murray
Senior Threat Research Analyst , Webroot | Jun 25, 2019 06:30 am PST

Phishing has been around in various forms since the 1990s, however, it’s clear that the popular mode of attack continues to evolve as cybersecurity defences improve. To subvert these improved defences, phishing tactics have become so sophisticated it can be difficult to spot a scam – particularly in the case of hijacked email reply chains.

Hijacked email reply chains refers to when a cybercriminal gains access to a colleague or supplier’s email, monitors ongoing conversations and waits for the opportune moment to send malware to a victim. Typically, malware such as Emotet is deployed, or another banking Trojan, like Ursnif or Gozi

Why are these attacks so effective?

What separates a regular phishing attack and a hijacked email chain is believability. These are dedicated, sophisticated criminals, who spend time breaking into email accounts, observing business conversations, negotiations, and transactions. Then, at a time when the victim is expecting an email with an attachment, they launch their attack. In malware campaigns that employ those tactics, it really doesn’t matter whose account the malicious actors have broken into. If you receive an email from your project manager, a sales colleague, the finance department, a particular client, or anyone else that bears the markers of a legitimate, ongoing email conversation, the attack is highly likely to succeed. There are numerous reports of these attacks occurring online. Although typically attributed to banking trojan campaigns, this tactic could be implemented to deploy other types of malware.

What can be done to protect yourself?

It may seem impossible to try to stay safe in a world filled with such advanced threats. However, hope is not lost. There are several techniques you can employ to keep yourself protected. 

First, it’s important to protect your own email account from being hijacked. Attackers can use techniques like alternate inboxing to send messages from your account without your knowledge. Be sure to secure your account with strong passwords, 2-factor authentication, and use a secure password manager. By encouraging friends and colleagues to do the same, your network of contacts will be less susceptible to attack. 

You may already mistrust emails from people you don’t know, but it’s time to raise suspicion of trusted senders, too. Attackers commonly try to spoof email addresses to look like those you’re familiar with and may even gain control of an email account that belongs to someone you know personally. The most important thing you can do is to err on the side of caution when it comes to emails asking you to download attachments. If you become suspicious of an email from a colleague or acquaintance, the best way to check its legitimacy is to pick up the phone and talk to them. Being able to confirm the legitimacy of an email over the phone is a guaranteed way of avoiding an attack through that vector. Additionally, if you receive an email from a company, look up the company’s publicly listed number – not the one included in the email, and call them to verify.

Finally, it is imperative that macros are never turned on, and users should not trust a document that asks you to turn macros on. This is something to look out for in Microsoft Office, especially in files that want you to show hidden content, as this is an often-used attack vector for criminals. Keeping your operating system and all applications up to date is an effective barrier, and deterrent, to certain attacking efforts. This will help strengthen defences and keep valuable data safe.

Notify of
0 Expert Comments
Inline Feedbacks
View all comments

Recent Posts

Would love your thoughts, please comment.x