Skip to content

Hackers will lurk in your email for more than a week after breaking in

Beware – cybercriminals could be spending days rooting around in employee inboxes for information they can sell to other crooks, or use to mount further attacks.

Hackers could be lurking in your email account for more than a week after hijacking it to harvest information before selling it off to other criminals, a new report from Barracuda Networks has warned.

A study carried out by Barracuda and UC Berkeley of found that just over a third of hacked corporate email accounts sustained attacks for more than a week, during which time attackers would monitor how the organisation did business so that they could launch subsequent phishing attacks.

More about cybersecurity

This includes monitoring the email signatures companies use and the way they handle financial transactions, which could then be used to harvest financial information and login credentials for other accounts.

However, the researchers also observed that 78% of attackers did not access any other applications outside of email. This suggests that businesses lack any interesting or useful data outside of email that hackers can exploit – or otherwise that they are simply yet not sophisticated enough to put these other sources of information to use.

It could also point to a more worrying conclusion. According to Barracuda, our reliance on using email to store increasingly large amounts of sensitive information – whether for convenience or otherwise – means that our inboxes could contain much of the valuable information hackers need without them having to look elsewhere.

SEE: SSL Certificate Best Practices Policy (TechRepublic Premium)

“Many employees will store that data in their inboxes — without archiving. As a result, attackers are able to use and search inboxes in the same way they would a filing system and can obtain everything they need,” the report said.

“In fact, it’s probably much easier to look for information in the inbox than in other cloud-based applications because everything is date stamped and historical context information on all parties involved exists. That makes it very easy to set up targeted attacks or conversation hijacking using only inbox data.”

Cyberattacks have grown into a huge problem during the pandemic, with phishing scams becoming a particularly popular tactic by criminals looking to exploit the confusion and uncertainty cause by COVID-19, and the resulting shift to remote working. 

Barracuda’s research examined 159 compromised accounts spanning 111 organisations. Microsoft 365 applications were cited as the primary target for hackers – hardly surprising, given the software’s popularity amongst businesses. Barracuda’s researchers found that in 98% of the accounts it analysed, attackers accessed at least one email-related Office 365 application, such as Microsoft Outlook. From there, attackers were easily able to access contact lists alongside confidential and financial information tied to other individuals, and the wider organisation.

Just 22% of compromised accounts were accessed via other Office 365 applications, Barracuda found. In these scenarios, Microsoft SharePoint was the most common target, used in 17% of attacks.

SEE: Zero trust security: A cheat sheet (free PDF) (TechRepublic)  

Barracuda’s researchers also found that 20% of compromised accounts appeared in at least one online password data breach, which it said indicated that cybercriminals were exploiting the tendency of employees to reuse login credentials across their personal and work accounts – a major security no-no.

It also identified a trend whereby the initial set of attackers would focus on compromising accounts before selling access to other cybercriminals, who would then cash in on the stolen information. This was the case in 31% of cases studied by Barracuda, which the company said “reflects an increasingly specialised, and layered criminal market for account compromise” that used a combination of  a combination of brand impersonation, social engineering, and spear phishing to hijack email accounts, before profiting from them.

Being informed about attacker behavior can help organisations put proper protection in place to defend against these types of attacks, said Don MacLennan, SVP Engineering of Email Protection at Barracuda. This includes this implementing AI-based threat monitoring software to automate the detection of email account breaches, better password management and using data forensics technology to help remediate attacks after they’ve taken place.

“Cybercriminals are getting stealthier and finding new ways to remain undetected in compromised accounts for long periods of time so they can maximize the ways they can exploit the account, whether that means selling the credentials or using the access themselves,” MacLennan said.

Also see