{"id":20986,"date":"2023-04-26T00:18:01","date_gmt":"2023-04-25T20:18:01","guid":{"rendered":"https:\/\/me-en.kaspersky.com\/blog\/what-is-conversation-hijacking\/20986\/"},"modified":"2023-04-26T00:18:12","modified_gmt":"2023-04-25T20:18:12","slug":"what-is-conversation-hijacking","status":"publish","type":"post","link":"https:\/\/me-en.kaspersky.com\/blog\/what-is-conversation-hijacking\/20986\/","title":{"rendered":"Conversation hijacking and how to deal with it"},"content":{"rendered":"

Targeted e-mail attacks aren\u2019t limited to spear phishing and business e-mail compromise (BEC)<\/a>. Another serious threat is conversation hijacking. In a nutshell, this is scheme where attackers insert themselves into a business e-mail conversation and pose as one of the participants. This post analyzes how such attacks work and what to do to minimize their chances of succeeding.<\/p>\n

How do attackers gain access to e-correspondence?<\/h2>\n

\nTo worm their way into a private e-mail conversation, cybercriminals need to somehow gain access to either a mailbox or (at least) the message archive. There are various tricks they can deploy to achieve this.<\/p>\n

The most obvious is to hack the mailbox. For cloud services, password brute-forcing is the method of choice: attackers look for passwords associated with a particular e-mail address in leaks from online services, then try them out on work e-mail accounts. That\u2019s why it\u2019s important, first, not to use the same credentials for different services, and, second, not to give a work e-mail address when registering on sites unrelated to your work. An alternative method is to access e-mail through vulnerabilities in server software.<\/p>\n

Malicious actors rarely stay in control of a work e-mail address for long, but they do usually have enough time to download the message archive. Sometimes they create forwarding rules in the settings so as to receive e-mail coming into the mailbox in real time. Thus, they can only read messages and not send any. If they could send messages they\u2019d most likely try to pull off a BEC attack.<\/p>\n

Another option is malware. Recently our colleagues uncovered a mass conversation hijacking campaign<\/a> aimed at infecting computers with the QBot Trojan. The e-mails in which the cybercriminals planted their malicious payload most likely came from previous victims of that same QBot malware (which can access local message archives).<\/p>\n

But self-styled hackers or malware operators don\u2019t necessarily go in for conversation hijacking themselves\u00a0\u2014 sometimes message archives are sold on the dark web and used by other scammers.<\/p>\n

How does conversation hijacking work?<\/h2>\n

\nCybercriminals scour message archives for e-mails among several companies (partners, contractors, suppliers, etc.). The dates don\u2019t matter \u2014 scammers can resume conversations that go back years. After finding a suitable exchange of e-mails, they write to one of the parties involved, impersonating another party. The goal is to dupe the person at the other end into doing something required by the attackers. Before getting down to business, they sometimes exchange a few messages just to lower the other\u2019s vigilance.<\/p>\n

Because conversation hijacking is a targeted attack, it often uses a look-alike domain; that is, a domain visually very close to that of one of the participants but with some small mismatch \u2014 say, a different top-level domain, an extra letter, or a symbol substituted for a similar-looking one.<\/p>\n

\"Attackers'

Attackers\u2019 e-mail: the letter \u201cn\u201d appears instead of \u201cm\u201d in the domain name.<\/p><\/div>\n

What is conversation hijacking used for in particular?<\/h2>\n

\nThe objectives of conversation hijacking are generally rather banal: to gain access to some resource by stealing login credentials; to dupe the victim into sending money to the attackers\u2019 account; or to get the victim to open a malicious attachment or follow a link to an infected site.<\/p>\n

How to guard against conversation hijacking?<\/h2>\n

\nThe main threat posed by conversation hijacking is that e-mails of this kind are quite difficult to detect by automated means. Fortunately, our arsenal includes Kaspersky Security for Microsoft Office 365<\/a>, a solution that detects attempts to sneakily join other people\u2019s conversations. To further reduce the risks to both you and your business partners, we recommend:\n<\/p>\n