ATO Attacks Affect Around 4,000 Office 365 Accounts
ATO (Account Takeover) attacks have reportedly impacted roughly 4,000 Office 365 accounts, which were later used to carry out malicious activities.
Details about the attacks, which spanned one whole month, have been given out by researchers at Barracuda Networks in a report dated May 2, 2019. The report says, “Barracuda researchers have revealed a startling rise in account takeover, one of the fastest growing email security threats. A recent analysis of account-takeover attacks targeted at Barracuda customers found that 29 percent of organizations had their Office 365 accounts compromised by hackers in March 2019.”
The report reveals that in that one month (March 2019), over 1.5 million malicious and spam emails were sent from the hacked Office 365 accounts.
Barracuda researchers explain that the criminals behind the ATO attacks had used different methods to execute the attacks, including leveraging login credentials acquired in previous data breaches, brute-force attacks, and attacks via web and business applications (including SMS).
The Barracuda Networks blog post, which has been authored by Asaf Cidon, Vice President of content security services, says, “Cybercriminals use brand impersonation, social engineering, and phishing to steal login credentials and access Office 365 accounts. Once the account is compromised, hackers monitor and track activity to learn how the company does business, the email signatures they use, and the way financial transactions are handled, so they can launch successful attacks, including harvesting additional login credentials for other accounts.”
The attacks begin with infiltration (with hackers impersonating Microsoft in 1 in 3 attacks) and the use of social engineering tactics to lure users into visiting phishing websites which would make them disclose their login credentials. Hackers would rarely launch an attack immediately after compromising an account. They would instead monitor the emails and track company activities, which would help maximize chances of executing successful attacks. Barracuda’s Asaf Cidon writes, “As part of their reconnaissance, scammers often set up mailbox rules to hide or delete any emails they send from the compromised account. In the March 2019 analysis performed by Barracuda researchers, hackers set up malicious rules to hide their activity in 34 percent of the nearly 4,000 compromised accounts.”
After reconnaissance, the hackers target other high-value accounts (of executives, financial department employees, etc) using the harvested credentials. The hackers would use spear phishing and brand impersonation in a bid to harvest the credentials for these high-value accounts. They would use domain-spoofing techniques or lookalike fake domains to make their impersonation attempts appear convincing.
“Hackers also use compromised accounts to monetize attacks by stealing personal, financial, and confidential data and using it to commit identity theft, fraud, and other crimes. Compromised accounts are also used to launch external attacks targeting partners and customers. With conversation hijacking, hackers insert themselves into important conversations or threads, such as during a wire transfer or other financial transaction,” explains Asaf Cidon.
Such attacks, it should be noted cause great financial losses to companies and the hackers even make money by successfully targeting wire transfer payments and redirecting them to bank accounts that they control.
How to ensure protection against such ATO attacks…
Barracuda researchers have come up with recommendations that could help ensure comprehensive protection against such ATO attacks.
The first step that could help mitigate such attacks is the successful employment of artificial intelligence. Machine learning could be used to analyze normal communication patterns within an organization and to spot out anomalies, which may indicate attacks (spear-phishing attacks and the like) that are carried out bypassing gateways and spam filters.
The researchers also recommend deploying account take-over protection using AI (artificial intelligence), which could help identify takeovers and also help in remediation.
Using multi-factor authentication, monitoring inbox rules, and suspicious logins and training employees to recognize and report attacks are also effective mitigation measures.