Phishers Try to Hook Alaska USA FCU as Account Takeover Study Is Released

Alaska Attorney General Kevin G. Clarkson warned of a phishing scam affecting Alaskans, with scammers pretending to be from the $8.3 billion, Anchorage-based Alaska USA Federal Credit Union.

In a press release, the Alaska AG office warned, “The scammers send a text message or email claiming the recipient’s account has been suspended, and that the recipient must click on a link that will take them to a webpage to reactivate their account. The text message or email may look legitimate, but it is not. The scammers are trying to steal your money and your identity. Do not click on the link or provide any personal information.”

The Alaska AG’s office noted phishing scams where the scammer claims to be from a familiar company are common. In recent years, scammers have sent phishing emails and text messages pretending to be from well-known companies such as Netflix, Amazon and VISA. Clarkson stated, “Scammers are good at mimicking trusted businesses. We all have to be vigilant in protecting our personal information, and in reporting suspected scams to the authorities.”

The FBI’s Internet Crime Complaint Center showed internet-enabled theft, fraud and exploitation remain pervasive and accounted for $2.7 billion in financial losses in 2018, the last logged year. Alaskans lost $3.6 million that same year to online scams, according to the ICC. Javelin Strategy & Research reported more than 14 million consumers fell victim to identity fraud.

Researchers from the Campbell, Calif.-based Barracuda Networks and UC Berkeley conducted a large-scale analysis of account takeover, “Threat Spotlight: Email Account Takeover.” It found cyberattackers are finding new ways to avoid detection when they compromise email accounts.

The researchers investigated the timeline of attacks, highlighted the behaviors hackers use to try to avoid detection, and ways to identify suspicious activity indicating the compromise of an email account.

“Email account takeover is a rapidly growing threat,” Asaf Cidon, author of the Barracuda/UC Berkley report, said. He explained cybercriminals use brand impersonation, social engineering and phishing to steal login credentials and access an email account. Once attackers compromise an account, hackers monitor and track activity to learn how the company does business, email signatures used, and the way an organization handles financial transactions in order to launch subsequent phishing attacks, including harvesting financial information and additional login credentials for other accounts.

Cidon pointed out these types of attacks are particularly difficult to intercept because they happen from within the company’s trusted email system. “Most email security tools won’t typically pick them up.”

Although account takeovers affect all organizations, credit unions and other financial institutions need to pay particular attention. “Any organization that deals with financial transactions is going to be a big target for new types of attacks,” Cidon said.

Cidon noted hackers execute ATO attacks using a variety of methods: Leveraging usernames and passwords acquired in previous data breaches; stolen passwords for personal emails and use access to that account to try to get access to business email; brute-force attacks to successfully take over accounts because people use very simple or the same passwords. Attacks also come via web and business applications, including SMS.

To provide a detailed timeline analysis of an account-takeover attack, researchers used Barracudas’ artificial intelligence detectors to compile a list of compromised user accounts in August 2019. Researchers chose one compromised account, referred to as User X, and analyzed the Microsoft Azure login properties and email activity around the time of the first sign of potential compromise. In addition to the data from Barracuda’s detectors, researchers had access to the raw emails, including the subject line, body content and originating IP address, as well as the Microsoft applications used, including the IP address, time of login and operations performed.

Among Barracuda/UC Berkeley’s key findings were:

• Hackers spread out attacks over a period of time; they do not always happen as soon as the compromise takes place.
• Attackers are getting smarter about geography; they send phishing emails and perform other actions from IPs tied to similar regions and countries of the hacked account.
• IP addresses and ISPs provide important clues; attackers tend to use anonymous IPs belonging to ISPs that are different from the hacked account’s provider.

Comparing the characteristics, activity before the first flagged detection with activity in the weeks following that detection, researchers uncovered several indicators of attacker behavior, such as logins from IPs belonging to different cities and states than the typical city and state the user logs in from. User X typically logged in from two Texas cities, but the account used came from Indonesia and various places in the United States, including Arizona, New York and Virginia.

In addition, login events and email activity likely tied to an attacker almost always originated from anonymous IP and hosting services, such as GoDaddy.com and Google Cloud.

“The fact that most of the phishing emails were sent from IPs located in the United States may indicate that attackers try to evade detection by performing the bulk of their actions from IPs tied to similar regions/countries as the true user,” Cidon said in the report. This approach will make activity appear less anomalous than activity coming from foreign regions. As a result, the Barracuda/UC Berkeley report revealed without looking more closely at the emails sent from other locations in the United States, it would have been difficult to pinpoint whether login activity from these locations was attributable to attackers.