With 35% of organisations being targeted by baiting attacks in September 2021, Barracuda Researchers went down the rabbit hole of this attack to uncover cybercriminals’ intent.
In recent years, phishing attacks have become increasingly sophisticated. Today, personalised emails with details carefully gleaned off social media accounts can fool even the most security-conscious employee. It might come as a surprise then that a technique that’s increasingly being utilised by cybercriminals is the polar opposite of these sophisticated social engineering scams. But what might appear to be an innocent, or even foolish mistake hides a darker reality.
Bait and watch
Bait attacks, also known as reconnaissance attacks, are usually emails with very short or even empty content. Their goal is to either verify the existence of their victim’s email account by not receiving any “undeliverable” emails, or to get the victim involved in a conversation that would potentially lead to malicious money transfers or leaked credentials.
The content is intentionally kept very ‘light’ in this this class of threats. Barely having any text and does include any phishing links or malicious attachments makes it hard for conventional phishing detectors to identify and therefore defend against these attacks.
Moreover, to avoid being detected, the attackers typically use fresh email accounts from free provider services, such as Gmail, Yahoo, or Hotmail, to send the attacks. Attackers also rely on a low volume and ‘non-burst’ sending behaviour in an attempt to get past any bulk or anomaly-based detectors.
With just over 35% of the 10,500 organisations analysed being targeted by at least one bait attack in September 2021, Barracuda Researchers went down the rabbit hole of this attack to uncover cybercriminals’ intent. So, here’s a closer look at the ways that attackers are using bait attacks and the techniques they’re using to avoid getting caught, as well as solutions to help you detect, block, and recover from these types of attacks.
Taking the bait
It is common for bait attacks to precede some sort of targeted phishing attack. Barracuda’s research team ran an experiment by replying to one of the bait attacks that landed in one of the company’s employee’s private mailboxes.
The original attack on August 10,2021 was an email with a subject line ‘HI’ and an empty body content.
As part of the experiment, the Barracuda employee then replied on August 15, 2021 with an email containing, “Hi, how may I help you?”. Unsurprisingly, within just 48 hours, on August 17, 2021, the employee received a targeted phishing attack. The original email was designed to verify the existence of the mailbox and the willingness of the victim to respond to email messages.
How to protect against bait attacks?
Deploy AI to identify and block bait attacks. Traditional filtering technology is largely helpless when it comes to blocking bait attacks. The messages carry no malicious payload and usually come from Gmail, which is considered highly reputable. AI-based defense is a lot more effective. It exploits data extracted from multiple sources including communication graphs, reputation systems, and network-level analysis to be able to protect against such attacks.
Train your users to recognise and report bait attacks. Some of these attacks may still land in users’ inboxes, so train your users to recognise these attacks and not reply. Include examples of bait attacks in your security awareness training and simulation campaigns. Encourage users to report these to your IT and security teams.
Don’t let bait attacks sit inside users’ inboxes. When bait attacks are identified, it’s important remove them from users’ inboxes as quickly as possible before users open or reply to the message. Automated incident response can help identify and remediate these messages in minutes, preventing further spread of the attack and helping to avoid making your organisation a future target.
