Since the beginning of 2020, researchers at Barracuda have identified 6,170 malicious accounts that use Gmail, AOL, and other email services and were responsible for more than 100,000 BEC attacks on nearly 6,600 organizations. In fact, since April 1, malicious accounts have been behind 45 percent of the BEC attacks detected.
Here’s a closer look at how cybercriminals are launching attacks with these accounts, along with solutions to help protect your business by detecting, blocking, and remediating the evolving threats.
Malicious accounts — Cybercriminals register email accounts with legitimate services to use them in impersonation and business email compromise attacks. They carefully craft these messages and, in most cases, use these email accounts only a few times to avoid detection or being blocked by email services providers. Each of these email addresses used in BEC attacks is defined as a malicious account and provides insight into how cybercriminals use email accounts in their schemes.
Malicious accounts were responsible for 45 percent of all BEC attacks detected since April 1, 2020. These repeat offenders created multiple attacks, targeting multiple organizations from the same email accounts.
Cybercriminals preferred choice of email service for malicious accounts is Gmail, which makes sense because it’s accessible, free, easy to register, and has a high enough reputation to pass through email security filters.
Although the same email address will be used multiple times, attackers will change display names for their impersonation attempts.
Most of the time, cybercriminals don’t use their malicious accounts for a long period of time. In fact, we saw 29 percent of malicious accounts used for only a 24-hour period. There are several reasons for the short life span of these accounts:
- Malicious accounts may get reported and suspended by email providers
- It’s easy for cybercriminals to register new accounts
- Cybercriminals may temporarily abandon an account after initial attacks and then return to it after a long period of time
While most malicious accounts are used by attackers for a short period of time, some cybercriminals used these accounts to launch attacks for over a year. It’s not unusual for cybercriminals to return and re-use an email address in attacks after a long break.
By nature, business email compromise is a highly targeted attack. After an initial research period, cybercriminals will impersonate an employee or trusted partner in an email attack. Usually, email is used first to establish contact and trust. Attackers will expect replies to their BEC attacks. Therefore, these attacks are usually very low volume and highly personalized to ensure a higher chance of reply. The number of email attacks sent by a malicious account ranged from one to over 600 emails, with the average being only 19.
Having analyzed attacks on 6,600 organizations, Barracuda researchers found that in many cases cybercriminals used the same email addresses to attack different organizations. The number of organizations attacked by each malicious account ranged from one to a single mass scale attack that impacted 256 organizations — 4 percent of all the organizations included in this research.
How to protect your organization from malicious accounts
- Invest in protection against business email compromise. Cybercriminals design BEC attacks to bypass email gateways. That’s why they only use each malicious account in a small number of attacks to avoid detection. Leveraging artificial intelligence to identify unusual senders, requests, and other communications will help detect BEC attacks and other fraud.
- Block messages from malicious accounts. Identifying accounts used by attackers is not always easy. Cybercriminals use techniques like spoofing that may make it difficult to identify the actual account used in an attack. Given the small volume of attacks coming from a single malicious account, it’s unlikely that the same organization will be targeted by two different BEC attacks coming from the same email account. Working with a vendor that can share this type of threat intelligence between different organizations in real-time will allow for a greater level of protection.
- Train your users to recognize targeted phishing attacks. User training should always be part of your security posture. Make sure your employees know how to recognize messages that come from outside of your organization and are aware of the latest tactics used by cybercriminals.