In recent months, Barracuda researchers have seen a sharp rise in domain-impersonation attacks used to facilitate conversation hijacking. An analysis of about 500,000 monthly email attacks shows a 400-percent increase in domain-impersonation attacks used for conversation hijacking. In July 2019, there were about 500 of this type of domain-impersonation attack in the emails analyzed, and that number grew to more than 2,000 in November.
While the volume of conversation hijacking in domain-impersonation attacks is extremely low compared to other types of phishing attacks, these sophisticated attacks are very personalized, making them effective, hard to detect and costly.
Here’s a closer look at the growing threat of conversation hijackingin domain-impersonation attacks, along with tips to help protect your business.
Conversation Hijacking—Cybercriminals insert themselves into existing business conversations or initiate new conversations based on information they’ve gathered from compromised email accounts or other sources.Conversation hijacking is typically, but not always, part of an account-takeover attack. Attackers spend time reading through emails and monitoring the compromised account to understand business operations and learn about deals in progress, payment procedures, and other details.
Cybercriminals rarely use the compromised accounts for conversation hijacking. Instead, attackers use email-domain impersonation.They leverage information from the compromised accounts, including internal and external conversations between employees, partners, and customers, to craft convincing messages, send themfrom impersonated domains, and trick victims into wiring money or updating payment information.
Cybercriminals spend time planning conversation hijacking before launching attacks. They use account takeover or research the target organization to understand business transactions and prepare for attacks.
To execute conversation-hijacking attacks, cybercriminals use domain impersonation, including typo-squatting techniques, such as replacing one letter in a legitimate URL with a similar letter, or adding an unnoticeable letter to the legitimate URL. In preparation for the attack, cybercriminals will register or buy the impersonating domain.