Abnormal Commentary: American Airlines Breach Highlights Impact of Credential Phishing
Abnormal Commentary is a series where we take a look at recent newsworthy events to provide insight into what happened, the consequences of the attack, and how it could’ve been prevented. In this article, we speak with Director of Threat Intelligence Crane Hassold about the recent American Airlines breach.
Can you provide a brief background of the American Airlines breach that was first reported on September 16?
Based on public reports, it seems that a credential phishing campaign targeted a number of American Airlines employees and was successful in compromising a limited number of mailboxes. While there was sensitive information available to the attackers, including passport numbers, there appears to be no definitive indication that the customer data has been misused. We don’t currently have information on the extent of the mailboxes affected, but company officials have maintained that it was only a small number.
What is the motivation behind this type of attack?
It’s unknown at this point what the actual motivation is since we don’t know the overall impact of the attack. I think the thing to highlight here is that while data breaches are concerning, successful credential phishing attacks open organizations to a wide range of potential problems.
Credential phishing targeting businesses and enterprises has increased substantially over the past few years. Historically, credential phishing attacks targeted individuals for their bank credentials. But what we’ve seen since 2017 is this massive evolution in the credential phishing landscape where cybercriminals are moving to enterprise targets instead. In fact, over 70% of the attacks that we see here at Abnormal contain a credential phishing link. Similar to what we’ve seen in ransomware and BEC, threat actors have realized they can make more money targeting businesses and have thus shifted their focus.
Why is credential phishing such an issue? What does it lead to?
One of the benefits of gaining access to mailbox credentials is that there are a lot of different ways they can be used. Not only can an attacker steal actual information like customer records, but they can redirect certain emails to other accounts and monitor them, waiting for the right moment to complete a vendor email compromise attack. They can pivot to other connected applications to steal sensitive information in other cloud applications, like SharePoint or OneDrive. Or they can use them to reuse passwords on other sites, moving across the enterprise to see what other information is available.
An attacker can also use a compromised account to launch additional phishing campaigns on other employees, customers, or vendors. Lateral phishing attacks that originate from internally-compromised accounts are some of the most concerning types of threats because they can’t be detected in the same ways as inbound phishing attacks, since traditional security tools have limited insight into East-West traffic. There's also a presumption of trust when an employee receives an email from the legitimate account of another company employee.
The possibilities are nearly endless once attackers have access to an email account, and the next move simply depends on their motivations. Enterprise credentials as a whole have become extremely valuable, which is why the majority of these attacks either target brands like Microsoft or Adobe, or internal systems like the IT Help Desk. In both cases, the idea is to trick users into visiting a website and inputting their email credentials.
Is the customer data breach the biggest issue stemming from this attack?
One of the things to keep in mind here is that data breach is a generalized term that is being used by the media, but we don’t know if/what data was even accessed, let alone stolen. All we know right now is that there was the opportunity for unauthorized access, leading to the potential for a data breach.
These types of credential phishing attacks are happening every single day. At Abnormal, we see literally hundreds of credential phishing campaigns on a daily basis. And like I said before, the reason these attacks are so prevalent is because they provide the opportunity to do so much. Once even a single email account has been compromised, attackers have access to a treasure trove of information.
Knowing that credential phishing provides the attacker with the keys to the kingdom, can you walk us through how an attacker sets up one of these email attacks?
One of the reasons why credential phishing attacks are so popular is that there is a whole underground economy dedicated to selling what are known as phishing kits, which are essentially archives of files that contain the necessary pieces required to set up a phishing page. There are access brokers that provide access to compromised sites. And there are bulletproof hosting providers that can sell access to domains that are much harder to take down. There are sellers out there who provide what are fully-undetectable phishing sites which means, once they are delivered, they cannot be detected by email browser defenses.
So there’s a pretty robust economy of buyers and sellers that make it relatively easy for less technically sophisticated actors to get involved. And once they have those phishing kits, launching the attack is relatively trivial. They simply need to gain access to a mailer that can send the email to thousands of targets at a time.
What does this breach tell us about enterprise security practices in general? How could this attack have been stopped?
What it reminds us is that employee mailbox credentials are always going to be a gold mine for threat actors and they should be treated as such. Enterprises need to have email defenses in place that are equipped to deal with more advanced social engineering attacks and can identify the attacks that impersonate brands and internal systems.
Because threat actors are becoming more sophisticated, it’s no longer enough to look at individual artifacts like malicious URLs. They’ve already figured out how to get around that type of static analysis and defense. Instead, email security platforms really need to look at content and behavior and the supposed identity of the sender and then compare that to what is known to be good.
It’s not just about blocking bad domains, because these emails often come from legitimate domains or free webmail accounts, and it’s not about blocking links because these cybercriminals are constantly changing those. Static systems simply can’t keep up with the pace of these emerging attacks. If enterprises are going to stop these evolving threats, it’s really about having that behavioral AI analysis to detect when something deviates from the known baseline.
What is the one key takeaway that we should know from this incident?
I think, in addition to really underscoring how even one compromised account can lead to huge issues like vendor email compromise attacks or lateral movement through the organization, it’s important to remember that this is not a unique problem.
These credential phishing emails are targeting thousands of companies every single day. We could just as easily be talking about one of the dozens of other victims on any given day, and that’s what is most concerning—these attacks are super effective and super costly.