Conversation Hijacking

What is conversation hijacking?

Conversation hijacking is a cyber attack in which an attacker gains unauthorized access to a legitimate account used for communication purposes (such as email, messaging apps, or collaboration platforms like Slack) and inserts themselves into an existing conversation. By exploiting the trust between parties, attackers trick victims into sending money, sharing sensitive information, or clicking on malicious links.

How does conversation hijacking work?

Conversation hijacking typically follows a multi-stage process:

1. Initial access

An attacker gains access to a legitimate account by stealing user credentials through one of the following methods:

Phishing or social engineering: Tricking users into revealing logins via phishing emails or entering their login details in fraudulent sites.
Malware: Keyloggers or Trojans capture credentials from infected devices.
Credential stuffing: Using automated tools to test stolen username-password combinations from previous data breaches.
Data breaches: Obtaining credentials leaked during large-scale data breaches.
Session hijacking: Stealing active session tokens or cookies to bypass authentication.

2. Monitoring

In this stage, the attacker silently observes ongoing conversations in the hijacked account. They will try to understand the conversation contextually, including the workflow, the power politics involved and wait for the right time to hijack the conversation.

3. Execution

During this phase, the attacker transitions from a passive observer to an active participant. Leveraging the trust established in a conversation, the attacker inserts themselves into the thread in the opportune moment in one of the following ways:

They may reply to the existing email or message, thereby inserting themselves in the thread.
They may directly use the compromised account to send emails.
They may use domain impersonation to send emails that closely resemble legitimate conversations.

From the knowledge gathered from the previous phase, they may send emails/ messages convincingly crafted, that the victim fails to notice that they are interacting with a fraudulent person. They may usesocial engineering tactics too. The objective in this stage is to direct the victim to perform a fraudulent action.

4. Exploitation

This is the final stage of the attack. The attacker will exploit the mutual trust established in the conversation to reach their ultimate goals such as like:

Wiring money to fraudulent accounts.
Updating or changing payment/banking information.
Clicking malicious links to phishing sites.
Opening attachments containing malware.
Handing over sensitive credentials or confidential documents.

Example of conversation hijacking

A manufacturing company regularly orders parts from a long-standing, trusted supplier.

Attack stages include:

Initial access: The cybercriminal gains access to the supplier’s email account through a phishing attack.
Monitoring: Over several weeks, the attacker silently observes email conversations between the supplier and the manufacturer, learning payment schedules, invoice formats, order values, and communication patterns.
Execution: In an ongoing email thread discussing a $50,000 order, the attacker replies from the compromised supplier account, stating that the supplier has changed banking details due to a merger. The attacker attaches a fraudulent invoice containing new wire transfer information and requests that future payments be sent to the updated account.
Exploitation: The manufacturer processes the payment to the fraudulent account, believing the request is legitimate. The real supplier does not receive the funds, and the fraud is discovered only weeks later when the supplier follows up on the unpaid invoice.

This incident is an example of email thread hijacking, a common sub-type of conversation hijacking used in Business Email Compromise (BEC) and invoice fraud attacks.

Impacts of conversation hijacking

Conversation hijacking can cause severe consequences for both individuals and organizations:

Financial loss: Victims may unknowingly send money to fraudulent accounts, process fake invoices, or approve unauthorized transfers resulting in financial loss.
Data theft: Attackers may gain access to confidential documents, customer data, internal discussions, or intellectual property which may lead to data breaches.
Operational disruption: Attack may lead to internal confusions, delay in project completion, and loss of trust between team, partners, and vendors.
Legal and compliance risks: Organizations could face penalties under regulations such as GDPR, HIPAA, PCI, or other data protection laws.
Reputational damage: Loss of credibility with partners, vendors, employees, and customers.

How to prevent conversation hijacking?

Prevention of conversation hijacking in organizations requires a multi-layered approach. The following best practices will help reduce these attacks:

1. Strong authentication

Enforce MFA on all accounts.
Enforce the use of password managers to create, save, and share passwords.
Monitor for leaked credentials on the dark web.

2. Email security

Configure SPF, DKIM, and DMARC for your organization's domains.
Use advanced email security solutions like Zoho eProtect, which detects and blocks phishing, impersonation, and reply-chain attacks. Zoho eProtect also deploys URL scanning and attachment sandboxing which prevent users from clicking malicious links or downloading malware.

3. Employee training

Train employees to spot unusual requests.
Educate teams about verifying changes in payment information.
Encourage skepticism towards urgent financial instructions.

4. Verification procedures

Require phone confirmations for bank account or payment related changes.
Implement zero-trust verification for high-value transactions.

5. Continuous monitoring

Detect suspicious login attempts and foreign IP access attempts.
Monitor mailbox rules and forwarding behaviors.
Track identity-based anomalies and unusual activity patterns.

What will I learn?

Related Content