Agari has released figures from recent research that show account takeover attacks are soaring. These phishing attacks involve the use of a compromised email account to fool employees into revealing sensitive information or installing malware. Agari says account takeover attacks have doubled in 2018.
Since messages are believed to have been sent from a known individual, many email recipients let their guard down. The effectiveness of this phishing technique is shown by Agari’s figures from a recent Osterman Research survey on 140 organizations with an average of 16,821 email users. In the past 12 months, 44% of respondents said their company has been a victim of an email account takeover attack.
In contrast to the spray and pray tactics used by many email scammers, account takeover attacks are highly targeted with company executives and board members most likely to receive the emails. The Osterman Research survey shows these to be the most successful email attack vector.
Many of the techniques usually associated with spam such as domain spoofing and masking of the true sender of an email are not used. It is these spam signatures that often see emails blocked by spam solutions. Most email spam defenses fail to stop this type of attack because the email is sent from an established email account.
In the case of business email compromise attacks (BEC) – a form of account takeover attack that uses an internal email address to target another member of the organization – organizations cannot easily stop the emails from being delivered or even detect that the emails are malicious because there is no malicious payload. As such, no security control is able to block these emails and prevent them from being delivered.
“Agari’s research demonstrates what CISOs have suspected for years: traditional email security solutions, such as secure email gateways, based on inspection and reputation are unable to detect advanced email attacks, such as account takeover,” said Ravi Khatod, CEO, Agari.
Agari has defined five steps in a typical account takeover attack – initial account access, control reconnaissance, a targeted attack, data exfiltration, and fraudulent wire transfers or other fraudulent financial transactions.
To counter the threat, Agari has developed its Enterprise Protect platform which incorporates enhanced Agari Identity Intelligence. The platform uses algorithms with machine learning to analyze emails and assign a score to each. The score indicates the likelihood of it having been sent from a compromised account.
Agari uses identity mapping to determine the perceived identity of the sender, behavioural analytics to determine anomalies in the message that deviate from expected sender behavior, and trust modelling to determine whether the email is expected by the recipient. Identity intelligence scoring is based on the above three controls and determine whether the message is genuine or has likely been sent from a compromised account.
“Leveraging global telemetry sources, unique algorithms, and a real-time scoring pipeline, the system continuously models email sending and receiving behaviors across the Internet and detects the new attacks of today and the even more sophisticated ones we expect to see in the future,” said Khatod.