Hackers have been devising creative ways to bypass security measures. Recently an innovative attack method was identified by Craig Hays, a cybersecurity architect and bug bounty hunter. Due to the outrageous success rate of the attack, he described it as one of the greatest password thefts ever seen.
What was discovered?
The new worm-like phishing attack used an ingenious way to hit a large number of people at the same time, and that too without using the traditional spray-and-pray tactics.
The phishing emails target employees of an organization by sending them replies to genuine emails, such as those exchanged between suppliers, customers, and colleagues.
How it works?
Hackers compromise an account and its credentials are sent to the remote bot that analyzes the emails.
Subsequently, for each unique email chain in the compromised account, the bot replies to the most recent emails (using reply-all)—with a phishing page link—to capture credentials.
As more victims kept falling for the scam, the bot operation grew bigger and eventually started spreading outside the organization.
Similar recent incidents
Stealing existing email conversations and then using them for targeted attacks is not an entirely new thing. However, the worm-like behavior in such attacks was observed for the first time.
In late-August, TA542 was observed leveraging social engineering mechanisms and email thread hijacking technique to distribute Emotet malware via hundreds of thousands of messages.
Around the same time, Qbot was observed leveraging a special email collector module that would steal all email threads from its targeted victim’s Outlook client. The attackers then use these emails for future malspam campaigns.
Usually, the goal of such attacks is to harvest as many credentials as possible, which could then be sold on the dark web. In such situations, experts strongly recommend using multi-factor authentication and following password policies such as using strong, unique passwords and changing them at a regular interval of time.