The use of compromised accounts to send phishing emails to contacts inside and outside an organization is an increasing security threat.
One in seven organizations have experienced "lateral phishing," a situation in which an account inside an organization is compromised, and the credibility of that same-domain account is leveraged to send phishing emails to other people within the same domain, along with frequent contacts external to the company, according to a report published Thursday by Barracuda Networks, in cooperation with researchers at UC Berkeley and UC San Diego.
For organizations that fell victim to lateral phishing attacks, over 60% have had multiple account compromises, with researchers analyzing 154 compromised accounts, and over 100,000 unique recipients.
This type of attack relies strongly on implicit trust that comes with custom, organization-provided email accounts, as opposed to free email services provided by Google, Microsoft, or Yahoo.
SEE: Launching a career in cybersecurity: An insider's guide (free PDF) (TechRepublic)
Barracuda recommends the use of security awareness training, to educate users about this type of attack, as well as requiring two-factor authentication (2FA) to limit the frequency of compromised accounts in your organization, as well as advanced phishing detection techniques that use artificial intelligence (AI) or machine learning for detection.
Generally, segmenting access to information can greatly limit the extent of damage in the result a phishing attack is successful, as barriers to sensitive information can frustrate attempts to exfiltrate sensitive data from an organization.
For more, check out TechRepublic's cheat sheet for phishing and spearphishing, as well as "More than 3B fake emails sent daily as phishing attacks persist," and "Why you need to use DMARC and SPF on mail servers to prevent phishing and fraud" on TechRepublic.
- How to become a cybersecurity pro: A cheat sheet (TechRepublic)
- 10 dangerous app vulnerabilities to watch out for (TechRepublic download)
- Windows 10 security: A guide for business leaders (TechRepublic Premium)
- Online security 101: Tips for protecting your privacy from hackers and spies (ZDNet)
- The best password managers of 2019 (CNET)
- Cybersecurity and cyberwar: More must-read coverage (TechRepublic on Flipboard)