More than a third of hijacked email accounts have resulted in attackers dwelling in compromised accounts for more than a week, according to new research.

A report by security solutions provider Barracuda Networks in association with UC Berkeley examined 159 compromised accounts spanning 111 organisations, finding that a specialised economy is emerging around email account takeover, using a combination of brand impersonation, social engineering and spear phishing to hijack email accounts and monetise them.

According to the research, 20 per cent of compromised accounts appear in at least one online password data breach, suggesting that cyber criminals are exploiting credential reuse across employees’ personal and organisation accounts.

In 31 per cent of the account compromises analysed, the initial set of attackers would focus on compromising accounts and then sell account access to another set of cyber criminals who focus on monetising the hijacked accounts.

This reflects an increasingly specialised, and layered criminal market for account compromise, Barracuda said.

The researchers observed that 78 per cent of attackers did not access any applications outside of email. As a result, the report concluded that either many organisations’ cloud accounts do not have access to interesting data and functionality outside of email, or that attackers have yet to adapt and exploit these additional sources of information.

Don MacLennan, senior vice president of engineering and email protection at Barracuda, said: “Cyber criminals are getting stealthier and finding new ways to remain undetected in compromised accounts for long periods of time so they can maximise the ways they can exploit the account, whether that means selling the credentials or using the access themselves.

“Being informed about attacker behaviour will help organisations put the proper protection in place so they can defend against these types of attacks and respond quickly if an account is compromised.”

Share Story: