What You Need to Know About Reply-Chain Phishing Attacks

You’ve probably heard of phishing attacks. Phishing is a fraudulent technique as old as the internet. It is used to deceive users to extract information like their bank accounts, credit cards, passwords, and usernames. 

As technology develops and cybersecurity measures along with it, these hacking techniques have unfortunately also developed and evolved. Nowadays, internet scammers no longer only use the basic phishing methods that most people can recognize. Instead, they use a new form of phishing known as reply-chain phishing. 

Last year, furniture giant IKEA fell victim to reply-chain attacks. The attackers successfully hijacked email chains and inserted a phishing email into the email thread.

What is Reply-Chain Phishing?

A reply-chain email attack is an attack in which the criminal uses previously stolen legitimate emails to send an email reply with a malicious link. As a result, the recipient believes that the response originated from a trustworthy sender, and the target is more inclined to click on the link or open the attachment.

Who Uses Email Conversation Thread Hijacking?

Threat actors using email reply chain attacks have been rising for a while now. Although the method was initially discovered in a restricted focused spear-phishing effort in May 2017, many cybercriminals quickly adopted it in 2018.

Emotet (a cybercriminal organization) used reply-chain attacks in 2019. To achieve this, the organization added an email stealing module to the also named Emotet malware. The module captures victims’ emails and login credentials. It transfers them to Emotet’s C2 servers, where they are distributed to additional victims infected with Emotet’s spam module and then utilized in assaults against fresh victims.

Emotet has recently improved its reply-chain technique by going further to steal attachments from users and, like a trojan horse, hide their malicious files among the stolen benign attachments to make the email appear more authentic.

QakBot is also regularly disseminated through new replies to current email discussion threads. In 2020, the Valek malware also began to spread via reply-chain hijacking.

Although not every hacker uses reply-chain phishing, they can still misuse an employee’s account once they access it. From there, they can escalate to a reply-chain attack whenever they want.  

What to Do If a Scammer Has Your Email Address

If you think a scammer has gained access to your email account, you should change your password immediately. Even if they haven’t gained access but you believe your account has been compromised, you should still consider changing it to a stronger, more secure password. 

Unfortunately, you may not know they’ve gained access to your email account with reply-chain attacks since they prefer to lay low and send intermittent replies to the email chain. If they changed the password to block you from accessing the account, you might need to go through your email provider’s support page to reset your password. 

After changing your password to a better, more secure one, you can take it a step further by adding a 2FA authentication method. That way, they’ll need to get their hands on the 2FA, which is more challenging than getting your password before they can access your email account.

How Cybersecurity Awareness Training Can Help Prevent Reply-Chain Phishing. 

Organizations must carry out frequent cyber security awareness training with information on the latest cyber threats to combat reply-chain phishing attacks effectively.

By reinforcing tips on avoiding scams, employees will, in turn, develop good habits and increase their sensitivity towards such attacks. This will make detecting any malicious message hiding in a reply chain thread easier. 

Get Help With Your IT Security Needs

Before reply-chain attacks came about, the best way to avoid phishing scams was to keep from opening links and attachments from unknown senders. 

But with reply-chain phishing attacks, victims are not even aware that their accounts have been compromised. As a result, they can cause irreversible damage before anyone detects them. 

Suppose an employee’s account is ever used in a reply-chain attack. In that case, the first thing to do is to inform the owner of the email account that it has been compromised. The owner will need to change their email details to flush out threat actors quickly. 

An investigation will also need to be carried out to help figure out how the attackers could get into the email account and how to prevent it in the future.  

Humans find it difficult, if not impossible, to detect reply-chain phishing attempts because they are pretty much indistinguishable from real legitimate emails. Email filters that examine attachments or links in emails, on the other hand, can detect harmful content regardless.

Secure your servers from malicious actors today using Cloudavize, the one-stop shop for all your IT needs. Reach us at (469) 250 1667 or through our contact form.