Graphic with the title “UNDERSTAND CONVERSATION HIJACKING: A NEW THREAT” in bold black and white text on a purple gradient background with a digital geometric design. The bp IT Managed Services logo is displayed at the top right, emphasizing their focus on cybersecurity. Keywords like “Cybersecurity Month” appear subtly at the bottom. The image highlights a new cybersecurity threat related to conversation hijacking. Keywords: conversation hijacking, bp IT Managed Services, cybersecurity threat, digital security, Cybersecurity Month.

In the ever-evolving landscape of cyber threats, email scams always remain a prevalent danger, continuously adapting to bypass security measures and exploit unsuspecting victims. One of the more sophisticated tactics that has gained traction in recent years is conversation hijacking. This insidious form of email scam involves cybercriminals infiltrating legitimate email threads to introduce malicious content, often with devastating consequences for individuals and organizations alike.

What is Conversation Hijacking?

Conversation hijacking, also known as email thread hijacking, occurs when cybercriminals gain unauthorized access to email accounts and insert themselves into ongoing email conversations. By leveraging the trust and familiarity established within these threads, attackers can deceive recipients into divulging sensitive information, transferring funds, or downloading malware.

Unlike traditional phishing attacks that rely on unsolicited emails, conversation hijacking exploits the authenticity of existing email exchanges. This makes it particularly challenging to detect, as the malicious content appears to come from a trusted source and within the context of a legitimate conversation. Most users are trained to check email addresses and other characteristics of new mail but not necessarily on replies of long-running threads.

How Do Cybercriminals Hijack Email Conversations?

1. Initial Compromise

Cybercriminals first gain access to a victim’s email account through various methods, such as phishing, credential stuffing, or exploiting security vulnerabilities. In this situation, the method is less important than the follow-up damage. Once inside, they can monitor the victim’s communications and identify potential targets or exfiltrate all of the data in the mailbox to sift through for targets later.

2. Reconnaissance and Selection

After gaining access, attackers observe ongoing email threads to identify opportunities for exploitation. They look for conversations involving sensitive topics, financial transactions, or any scenario where they can insert themselves without raising suspicion.  Frequently, this involves AP/AR transactions or sales orders.

3. Insertion and Deception

At the opportune moment, the attacker inserts a malicious email into the conversation. This email may contain a link to a phishing site, an attachment with malware, or a request for sensitive information. Because the email appears to come from a trusted participant in the thread, recipients are more likely to comply with the malicious request.

In most cases, especially that we’ve seen recently, they simply find an excuse to push for an ACH transfer instead of card or check—or a change in banking information necessitating a wire going to a new location. This tends to be preferred over a malicious payload since this damage can go undetected for days if not weeks.

In many cases, this email may come from a lookalike domain and not the initially compromised mailbox. Sometimes they may have exported an entire mailbox and may spend the next several months exploiting conversation after conversation with different targets. We have seen numerous attacks recently using lookalike domains—some targeting the initially compromised mailbox and others targeting their contacts.

4. Execution and Exploitation

Once the recipient falls for the scam, the attacker can achieve their objective, whether it be stealing credentials, deploying malware, or facilitating unauthorized financial transactions. The consequences can be severe, ranging from financial losses to data breaches and reputational damage. The trouble in recovering money wired to an attackers’ account can be extreme. Even if the money can be recovered or the wire can be reversed, having a large amount of money tied up for multiple days can be debilitating for many small businesses.

In the early days of this type of attack, most of the replies were boilerplate and generic invoice messages sent in reply to ancient threads, which would usually feel suspicious. We used to see emails sporadically come in with “invoices” attached to them in reply to a ticket creation email from a year or more ago—which certainly isn’t normal procedure.

Now, though, malicious actors are focusing very specifically and manually targeted threads and people. They are explicitly posing as someone else and continuing recent conversations in order to misdirect funds to “new banks” and run off with your cash.

How To Protect Yourself and Your Organization

Given the sophisticated nature of conversation hijacking, defending against it requires a multi-layered approach. The best answer, as always, is to prepare and train your users for this angle of attack. Train them that just because something looks like a reply to an existing email, it isn’t necessarily legitimate or safe. Ensure your employees are verifying any change in transaction methods or unexpected bills via some means other than the email/chain they’re attached to.

Protecting your mailboxes with multi-factor authentication and MDR/EDR or other monitoring and protection can help limit a lot of potential attack surface, since if malicious actors can’t get into your mailboxes they can’t trawl for vulnerable threads. It’s important to note, though, that this is only half of the equation. You can’t control your contacts’ and vendors’ security and mailboxes, so if they suffer a breach, malicious actors can still intercept messages or spin off threads to spoofing domains.

Bring It All Together

Conversation hijacking email scams represent a sophisticated and growing threat in the realm of cybersecurity. By understanding how these attacks work and implementing comprehensive protective measures, individuals and organizations can better defend against this insidious form of cybercrime.

Staying vigilant, educating users, and employing advanced security technologies are crucial steps in safeguarding your email communications and preventing the potentially devastating consequences of conversation hijacking. As cybercriminals continue to evolve their tactics, it is essential to remain proactive and adaptive in your defense strategies.

Ready to Turn the Tables on Cyber Threats?

Join us for our free webinar, “Overcome Your Cybersecurity Fears,” on October 31st, where we’ll dive deeper into effective strategies to combat the year’s top cybersecurity threats. This session is perfect for anyone eager to enhance their defensive tactics and learn in a supportive community setting. Don’t keep this Halloween treat to yourself—invite your colleagues and friends to join in! Together, we will build a safer digital world.

ogo for “bp IT Managed Services” featuring a blue and white design. The letters “bp” are stylized in blue, followed by a circular element containing the letters “IT” in blue, and the words “Managed Services” in black bold text to the right. This logo represents a company specializing in managed IT services, highlighting their expertise in IT solutions and support. Keywords: bp IT Managed Services, IT support, IT solutions, managed services, business IT.

Contact us today to discuss your options. Let Bennett/Porter help you make the best decision for your business by leveraging our expertise. We are committed to making your transitions seamless and protecting your business from potential security risks associated with outdated systems.