conversation hijacking

By now, most of us know to never click on links or attachments in unsolicited emails as this is a common method for distributing malware infections.

But what happens when the attachment comes as an actual reply to a conversation you were having with an associate at an organization you know and trust? This type of attack undermines user awareness prevention measures and puts the user, and by extension their entire organization, in a very precarious position.

That’s what makes the current trend of Conversation Hijacking Attacks (CHAs) so disturbing and one that deserves serious consideration. CHAs ramped up mid-year of 2017 and are still trending upward with tens of thousands of attacks since the beginning of this year.

What is a Conversation Hijacking Attack?

A Conversation Hijacking Attack begins with the attacker sending a slew of emails that lead the user to a well-crafted phishing page. From here, the user is instructed to select their email provider of choice (Office 365, Gmail, Yahoo, AOL et al.) and then they are led to another page where their login credentials are gathered.

After the attacker has gathered credentials for thousands of email accounts, they launch attacks from those accounts by logging in and sending replies to prior conversations in that user’s inbox. These are mostly a vague response to the last message of an ongoing thread with such wording as “please look this over” in the body and a malware attachment, which usually takes the form of a Word document.

For the user, the message comes quite naturally as they were having a back-and-forth exchange with the individual. While most users know they should be highly skeptical of an attachment in an unsolicited email, in this scenario, even the most cautious and vigilant users are far more likely to open an attachment delivered in this manner than one coming from an unknown source. These attacks are personal and fool many.

The attack chain ultimately leads to a user – and potentially their network – being infected with some form of banking Trojan. While the payload may differ, one thing is clear – these attackers have financial and data theft in mind.

What to do about it

Protecting your business from such an attack can seem somewhat daunting, and it can be difficult to know where to start. As with many other cyber threats today, it is best to remember that there is not a single solution that will handle all protection. Instead remember, that you will need to take a multi-layer security approach to fortify your defenses.

A few pointers to get you started:

  • Implement additional security at the email level. This might include adding filtering or tightening down existing filters.
  • Consider banning macro-enabled documents inbound to your entire organization as they are very commonly used to deliver infections. If you need to receive them legitimately, then you can easily develop protocols for that.
  • Since this attack tends to trick some of the savviest users, you should educate your employees about these attacks.

In today’s age of highly customized and targeted attacks, one thing is certain — CHAs are here to stay and will present even more of a threat going forward.

Troy Gill is manager of security research at AppRiver, which provides cloud-based email and cybersecurity solutions.