HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

Study Raises Awareness of Threat of Lateral Phishing Attacks

A recent study by the University of San Diego, University of California Berkeley, and Barracuda Networks has shed light on a growing threat to healthcare organizations – Lateral phishing.

In a standard phishing attack, an email is sent containing an embedded hyperlink to a malicious website where login credentials are harvested. The emails contain a lure to attract a click. That lure is often tailored to the organization being attacked. These phishing emails are relatively easy to identify and block because they are sent from outside the organization.

Lateral phishing is the second stage in the attack. When an email account is compromised, it is then used to send phishing emails to other employees within the organization. Phishing emails are also sent to companies and individuals with a relationship with the owner of the compromised account.

This tactic is very effective. Employees are trained to be suspicious of emails from unknown senders. When an email is received from a person in the organization that usually corresponds with the employee via email, there is a much higher chance of a requested action being taken.

Lateral phishing is one of several types of email account takeover attacks. One of the most common is Business Email Compromise (BEC). With BEC, the aim of the attack is to gain access to the credentials of the CEO. The account is then used to request fraudulent wire transfers. Lateral phishing is primarily concerned with credential theft rather than financial fraud. The goal is to compromise as many accounts as possible within an organization.

For the study, the researchers took a detailed look at phishing and lateral phishing attacks at 100 organizations and identified the strategies being used, the sophistication of the attacks, and which techniques were the most successful.

1 in 7 of the organizations studied had experienced a lateral phishing attack and 180 lateral phishing attacks were identified. In 11% of attacks, further email accounts within the organization were compromised. The researchers note that in 42% of cases, the lateral phishing emails were not reported to the IT department or security team. This failure to report could mean an account breach remains undetected and the compromised email account can continue to be used.

55% of the attacks targeted individuals with a personal or work relationship with the company and almost all emails were sent during regular working hours.

The attackers followed four main strategies when conducting attacks. The most common, used in 45% of attacks, was the sending of generic phishing messages. The most common lures were “shared document” and “account problem.” 63% of all lateral phishing emails were commonplace messages, 30% were refined messages, and 7% were highly targeted.

In 29% of attacks, the email account was used to send tailored messages to close and recent contacts. 25% of attacks involved sending messages to dozens to hundreds of employees. Only 1% of attacks were on business associates of the organization.

In 31% of cases, the phishers use stealth tactics to add realism to their campaigns and evade detection. It is common for emails to be deleted from the sent folder in the compromised account to ensure an account compromise is not detected by the account owner. The researchers found that emails were also deleted from the recipient’s account. This tactic was used in 19.5% of hijacked accounts. In 17.5% of cases, the attackers responded to replies from the recipient of the phishing email to convince them that the request was genuine.

Defending against these attacks requires a three-pronged approach. Security awareness training for employees is essential. All employees should be made aware of the threat of phishing from within the organization.

Two-factor authentication will help to ensure that even in the event that credentials are obtained, they cannot be used to remotely access an email account.

Finally, organizations should invest in advanced detection techniques and solutions that can identify and delete phishing emails before they reach end users’ inboxes.

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered on HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has several years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics.