SecurityBrief New Zealand - Technology news for CISOs & cybersecurity decision-makers
Story image
Gmail bait attacks targeting business - Barracuda report
Wed, 17th Nov 2021
FYI, this story is more than a year old

Bait attacks launched via Gmail and other free email services could be making businesses in Asia Pacific vulnerable to targeted phishing attacks and other threats, according to new reports from Barracuda.

Taking in more than 10,500 organisations across the globe, Barracuda researchers found that more than a third (35%) of businesses reported being targeted by at least one bait attack in September 2021, with an average of three distinct mailboxes per company receiving one of these messages.

Often used by cybercriminals to research potential victims by testing out email addresses, bait attacks are a form of cyber reconnaissance aimed at improving the odds that an attack will succeed.

According to Barracuda, bait attack emails are usually sent with short or even empty content, which makes them hard for conventional phishing detectors to defend against, as they do not contain phishing links or malicious attachments. The goal of these attacks is to either verify the existence of the victims email account by not receiving any "undeliverable" emails or to get the victim involved in a conversation that would potentially lead to malicious money transfers or leaked credentials.

According to the study, 91% of attacks analysed by Barracuda were sent from Gmail accounts, which according to researchers, is not surprising given that most bait attacks are launched using fresh email accounts from free services, such as Gmail, Yahoo and Hotmail. Attackers also rely on low volume, non-burst sending behaviour to get past any bulk or anomaly-based detectors.

As traditional filtering technology is largely helpless when it comes to blocking bait attacks, Barracuda recommends deploying AI-based defence solutions capable of exploiting data extracted from multiple sources including communication graphs, reputation systems, and network-level analysis to be able to protect against such attacks.

"Businesses in Asia Pacific should not underestimate the security threat posed by bait attacks, which work to lay the groundwork for targeting phishing and other threats," says Mark Lukie, systems engineer manager, Barracuda, Asia Pacific.

"Aside from AI technologies to help you defend against bait attacks, making sure employees have the right security awareness training to recognise and report attacks will be crucial in staying protected," he says.

"This can of course be supported by automated incident response solutions to identify and remediate these messages in minutes, preventing further spread of the attack and helping to avoid making your organisation a future target."

Barracuda provides access to cloud-enabled, enterprise-grade security solutions. The company protects email, networks, data and applications with innovative solutions that grow and adapt.

"More than 200,000 organisations worldwide trust Barracuda to protect them in ways they may not even know they are at risk so they can focus on taking their business to the next level," the company says.