Nav: Home

Columbia professor develops a detector that stops lateral phishing attacks

October 29, 2019

Lateral phishing attacks - scams targeting users from compromised email accounts within an organization - are becoming an increasing concern in the U.S.

Whereas in the past attackers would send phishing scams from email accounts external to an organization, recently there's been an explosion of email-borne scams in which an attackers compromise email accounts within organizations, and then uses those accounts to launch internal phishing emails to fellow employees - the kind of attacks known as lateral phishing.

And when a phishing email comes from an internal account, the vast majority of email security systems can't stop it. Existing security systems largely detect cyber attacks that come from the outside, relying on signals like IP and domain reputation, which are ineffective when the email comes from an internal source. Lateral phishing attacks are also costly. FBI data show, for instance, that these cyberattacks caused more than $12 billion in losses between 2013-2018. And in the last two years, the attacks have resulted in an increase of 136 percent in losses.

To alleviate this growing problem, Data Science Institute member Asaf Cidon helped develop a prototype of a machine-learning based detector that automatically detects and stops lateral phishing attacks.

The detector uses several features to stop attacks, including detecting whether the recipient deviates from someone an employee would usually communicate with; whether the email's text is similar to other known phishing attacks; and whether the link is anomalous. The detector can detect the vast majority of these attacks with a high precision rate and a low false positive rate - under four false positives for every one-million employee-sent emails.

Cidon was part of a research team that analyzed a dataset of 113 million employee-sent emails from nearly 100 businesses. They also characterized 147 lateral phishing incidents, each of which involved at least one phishing email. The study was conducted jointly with Barracuda Networks, a network security company that provided data on its customers to the researchers with the goal of developing a detector for lateral phishing.

The researchers also wrote a paper about the study, Detecting and Characterizing Lateral Phishing at Scale, which recently won a Distinguished Paper Award at Usenix Security 2019, a leading cybersecurity conference.

"The attacks analyzed in this study represent one of the most difficult types of cyber attacks to detect automatically, since they emanate from within an internal employee's account," said Cidon, an Assistant Professor of Electrical Engineering and Computer Science (jointly affiliated) at Columbia Engineering as well as a member of the Data Science Institute. "The key to stopping such targeted socially-engineered attacks is to use machine-learning based methods that can rely on the unique context of the sender, recipient and organization."

When attackers launch a phishing attack, their objective is to convince the user that the email is legitimate and to cajole them into performing a certain action. What better way to convince a user that an email is legitimate, therefore, than by using a hacked email account from a colleague they know and trust. And in lateral phishing, attackers leverage a compromised email account to send phishing emails to other users in the organization, benefiting from the implicit trust of colleagues and the information in the hijacked user's account. The classifiers that Cidon helped to develop look for anomalies in communication patterns. For instance, the classifiers would flag an employee suddenly sending a burst of emails with obscure links or an employee systematically deleting emails from his or her sent items folders - trying to mask their scams.

Drawing on these kind of phishing attacks, as well as from a collection of user-reported incidents, the researchers used machine learning to quantify the scale of lateral phishing, identifying thematic content and recipient targeting strategies that attackers used. They then were able to characterize two strategies that attackers used to tailor their attacks: content and name tailoring. Content tailoring is how the attacker tailors the content of the email to compel the recipient to click on the link and fall for the phishing email. The most common content tailoring they discovered was a generic phishing content (for example, "You received a new document, click here to open"). But they also found that some attackers tailored the email to the specific context of the organization (e.g., "Please see the attached announcement about Acme's 25th year anniversary"). Name tailoring is how the attackers personalize the email to a recipient by using his or her name and role in the organization (e.g., "Bob, please review the attached purchase order," and in this instance Bob works in accounting).

Some key findings from their analysis of more than 100 million emails that compromised nearly 100 organizations include:

More than 10 percent of incidents result in a successful additional internal compromise (this is orders of magnitude higher percentage than attacks originating externally).

The majority of attacks are relatively simple phishing emails. But a significant percentage of attackers do heavily tailor their emails in accord with the recipient's role and the context of the organization.

More than 30 percent of attackers engage in some kind of sophisticated behavior: either by hiding their presence in the attack (e.g., deleting outgoing emails) or by engaging with the recipient of the attack to ensure it is successful. Cidon says these kinds of attacks represent the new frontier of cyber crime: highly personalized attacks where attackers are willing to spend days and weeks "doing reconnaissance."

"In this study we focused on link-based lateral phishing," adds Cidon. "There's still a large amount of work to do, however, in exploring attacks without links or attacks that combine other social mediums such as text messages and voice. But we hope our detector helps combat the growing scourge of lateral phishing attacks."

Data Science Institute at Columbia

Related Email Articles:

2016 presidential campaign emails reveal strategy, surprises
Notably, Trump campaign e-mails were more participatory, fitting the populist theme of the campaign, and the Clinton campaign made the surprising strategic decision to stop direct e-mail communication to passive e-mail subscribers more than two months before Election Day.
'Bursty' email communication helps groups convert resources into results
A new study looked at more than 1,300 retail banking sales teams in a large regional bank to explore whether groups vary in how they convert resources into performance.
Email users should have 'more control' over post-mortem message transmission
Email users should have far more control over the transmission of their messages upon death, a new Aston Business School study suggests.
Combination of chemo and diabetes drugs shows potential for treating Ewing sarcoma
Houston Methodist researchers propose a combination of two well-known drugs as a new treatment option for Ewing sarcoma -- one of them typically used to treat diabetes.
Columbia professor develops a detector that stops lateral phishing attacks
To alleviate this growing problem of email scams, Data Science Institute member Asaf Cidon helped develop a prototype of a machine-learning based detector that automatically detects and stops lateral phishing attacks.
Bacterial pneumonia predicts ongoing lung problems in infants with acute respiratory FAI
Bacterial pneumonia appears to be linked to ongoing breathing problems in previously healthy infants who were hospitalized in a pediatric intensive care unit for acute respiratory failure.
Multitasking amygdala neurons respond to sights, sounds, and touch
Individual neurons in the monkey amygdala that respond to touch also respond to imagery and sounds, according to new research published in JNeurosci.
To fight email scammers, take a different view. Literally.
A team of researchers is helping law enforcement crack down on email scammers, thanks to a new visual analytics tool that dramatically speeds up forensic email investigations and highlights critical links within email data.
Is email evil? Bosses are getting boxed in by their inbox
New Michigan State University research shows that bosses struggle, like the rest of us, to keep up with email demands.
Mere expectation of checking work email after hours harms health of workers and families
The study demonstrates that employees do not need to spend actual time on work in their off-hours to experience harmful effects.
More Email News and Email Current Events

Trending Science News

Current Coronavirus (COVID-19) News

Top Science Podcasts

We have hand picked the top science podcasts of 2020.
Now Playing: TED Radio Hour

Making Amends
What makes a true apology? What does it mean to make amends for past mistakes? This hour, TED speakers explore how repairing the wrongs of the past is the first step toward healing for the future. Guests include historian and preservationist Brent Leggs, law professor Martha Minow, librarian Dawn Wacek, and playwright V (formerly Eve Ensler).
Now Playing: Science for the People

#566 Is Your Gut Leaking?
This week we're busting the human gut wide open with Dr. Alessio Fasano from the Center for Celiac Research and Treatment at Massachusetts General Hospital. Join host Anika Hazra for our discussion separating fact from fiction on the controversial topic of leaky gut syndrome. We cover everything from what causes a leaky gut to interpreting the results of a gut microbiome test! Related links: Center for Celiac Research and Treatment website and their YouTube channel
Now Playing: Radiolab

The Flag and the Fury
How do you actually make change in the world? For 126 years, Mississippi has had the Confederate battle flag on their state flag, and they were the last state in the nation where that emblem remained "officially" flying.  A few days ago, that flag came down. A few days before that, it coming down would have seemed impossible. We dive into the story behind this de-flagging: a journey involving a clash of histories, designs, families, and even cheerleading. This show is a collaboration with OSM Audio. Kiese Laymon's memoir Heavy is here. And the Hospitality Flag webpage is here.