What is Conversation Hijacking? Exploring This Emerging Form of Phishing

Social engineering attacks like phishing emails regularly yield good results for threat actors as an initial entry point into business networks. By exploiting human psychology rather than relying on sophisticated technical skills, hackers regard phishing campaigns as low-hanging fruit, and they are easy to scale. In fact, one analysis of cyber incidents found that phishing was involved in 90% of data breaches.

The relative technical simplicity of phishing does not mean there is no room for evolution in methods. In the last couple of years, a new form of phishing dubbed conversation hijacking has emerged. This article goes into detail on what conversation hijacking is, why it’s worth paying attention to as a cyber threat and some strategies for defending against it.

What is Conversation Hijacking?

Conversation hijacking is a newer type of phishing attack where threat actors insert themselves into business email conversations. The motivation for conversation hijacking could be leveraging intelligence to send fake invoices and receive large payouts or to snoop on sensitive business information.

Reports about conversation hijacking stretch back to 2019 when a hacker managed to get in the middle of communications between a Chinese venture capital firm and an Israeli startup. The result of this attack was the loss of $1 million in funding. If this sounds like a man-in-the-middle attack, well, it kind of is, except that it exploits human psychology rather than insecure communication channels.

Typical conversation hijacking attacks use one of two methods:

1. Compromising and taking over an existing business email account belonging to an employee, senior executive, vendor or business partner
2. Domain impersonation, where the attacker sets up a lookalike domain for the purpose of duping people into believing they’re communicating with a genuine source

Conversation hijacking clearly takes more work than your standard phishing email that tries to dupe people into giving up a password or clicking a malicious link. Often, dozens of emails are exchanged before the attacker manages to achieve their goal. If the attacker opts for the email compromise method, they’ll either need to use stolen credentials or deploy base layer hacking methods that enable them to steal the password to an account. If the attacker goes for the domain impersonation route, a degree of precision is needed to create a fake domain that is difficult to spot.

Either way, care and patience are tenets of this emerging form of social engineering. As cybersecurity awareness about basic social engineering grows, it’s clear that threat actors are starting to consider refining their methods.

Why Pay Attention to Conversation Hijacking?

The example given from 2019 was not an isolated incident that signifies an extremely rare cyber threat. Recent analysis from 2021 found that conversation hijacking attacks more than doubled. In the final quarter of the year, over 12,000 attacks were detected, which demonstrates the large volume of activity related to this threat.

Attacks can be so effective because the fraudulent messages appear to be an organic part of an ongoing email chain rather than the unsolicited “out of nowhere” messages often used in standard phishing campaigns. In addition to this, successful attacks piggyback off of a trusted email account or domain whose authenticity appears genuine to the untrained eye.

While conversation hijacking represents a small overall proportion of phishing or social engineering attacks, its recent growth and potential consequences make it well worth paying attention to:

• Fraudulent transactions (invoices, transfers) affecting a key business partner can destroy your relationship with that partner
• Hackers can leverage the inherent trust in an ongoing email discussion to easily get victims to open a malicious file and spread ransomware or other types of malware
• Sensitive conversations can reveal information to third parties that destroys your company’s competitive edge or enables others to steal your ideas

Suggested Ways to Mitigate Conversation Hijacking Threats

While conversation hijacking is a growing and somewhat unique cyber threat, there are some excellent ways and tools to mitigate these attacks, some of which you should (hopefully) already be using.

Use Multifactor Authentication for Business Email Accounts

For a bunch of different security reasons, it’s good practice to switch on multifactor authentication for logins to important business applications—email is no exception. With multifactor authentication in place, you can prevent conversation hijacking attacks that start with business email compromise (BEC). Even if a threat actor gets the credentials for a business email account, MFA prevents them from being able to log in without additional evidence that proves their identity.

Incorporate Conversation Hijacking into Phishing Simulation/Training

As phishing techniques adapt, it’s important that education evolves to reflect these changes. Conversation hijacking should start to appear in educational materials and as part of any simulated phishing exercises at your organization. When employees are aware that hackers are trying to get between their email communications, they can start to exercise more vigilance over the email addresses they exchange messages with and the content in those messages.

Monitor for Domain Name Spoofing

Since most conversation hijacking attempts start with a spoofed domain, it’s a good idea to monitor for these threat signals. Adversaries will usually register a domain name similar to your organization’s, perhaps with a letter or number added or omitted. Employees might struggle to spot these differences because their daily work tasks take priority over closely inspecting email addresses. Dedicated domain name monitoring services are available to look for slight variations on your domain name and request takedowns.

Limit Malware Damage

If a business email account gets compromised, it can be difficult to avoid a negative outcome. However, it’s possible to limit the damage done to your network by ensuring you have sufficient capability to detect and respond to threats.

Hackers sometimes use conversation hijacking as a springboard to get further inside your environment and install ransomware. Typically, this involves taking over an email account and then getting a victim to install a remote access trojan on their device. With adequate endpoint detection and response (EDR) or managed detection and response (MDR), you can thwart conversation hijackers in their tracks before they cause real damage.

Conversation hijacking is just one of many tactics threat actors use to wreak havoc on your network and operations. Contact Nuspire today to learn more about how we can create a customized security solution that protects you from today’s biggest threats.