Cybercriminals often will research potential victims to help strategize exactly how and where to attack them. This tactic applies whether the criminal is planning to mount a data breach, a phishing campaign or some other type of threat. In a report released Wednesday, data security provider Barracuda looked at a particular trick called a bait attack to illustrate how this method is used to pick up useful information about an intended target.
SEE: Social engineering: A cheat sheet for business professionals (free PDF) (TechRepublic)
With a bait attack, also known as a reconnaissance attack, the cybercriminal is looking only to obtain details about a person or organization to help map out a future attack. Bait attacks usually arrive in the form of emails with very little or even no content.
The goal is simply to confirm the existence and accessibility of the recipient’s email, which is accomplished if the attacker receives no “undeliverable” notice or, even better, gets a response from the person.
The initial bait email typically skirts past security defenses for a few reasons. First, the messages contain little or no text and certainly no malicious links or file attachments. Second, the attackers often use legitimate email accounts, such as Gmail, Yahoo or Hotmail. Third, the criminals send out a small number of emails on a random basis to thwart any bulk or anomaly-based security detection.
The volume of bait emails is still low compared with other types of phishing messages. Barracuda found that around 35% of the 10,500 organizations it analyzed received at least one bait attack in September 2021. On average, three different mailboxes per company got one of these messages. But since a bait email seems innocuous with no obvious red flags, they’re more likely to engage the recipient.
One bait message received by a Barracuda customer in August included a subject line that simply said “HI” and contained no text in the body. As a follow-up, someone from Barracuda replied to the email with a message that said: “Hi, how may I help you?”
Within 48 hours, the original employee was targeted with a phishing attack claiming that the person was being charged for a subscription to the Norton LifeLock security product. In the end, the purpose of the original bait email was to confirm the existence of the account and any interest on the part of the recipient to respond to such messages.
To help you protect your organization and users against bait attacks, Barracuda offers the following suggestions:
- Use artificial intelligence to identify and stop bait attacks. Since bait attacks contain little or no content and come from legitimate email accounts, traditional security defenses are typically unable to detect them. Instead, you need to turn to AI-based protection. This type of security analyzes data using a variety of resources, such as communication graphs, reputation systems and network-level analysis.
- Teach employees to spot and report bait attacks. Even with the best defense, some bait emails are likely to reach your users. To train employees to recognize these attacks and not engage with them, include samples of bait emails in your security training and urge users to report such messages to your security staff.
- Don’t allow bait emails to sit in a user’s inbox. You don’t want to give a user the opportunity to respond to or even open a bait message, which means the email should be removed from the person’s inbox as quickly as possible. Tools that employ automated incident response can find and take care of these messages to prevent the attack from spreading further.