Conversation hijacking

Conversation hijacking (or thread hijacking) is a targeted social engineering attack where an intruder poses as a participant in an ongoing message exchange (or other type of digital communication) by exploiting the trust established between the parties to the conversation. The term is most often used in relation to email attacks, but attackers can also apply this method to other communication channels, such as group chats in messenger apps.

Attack pattern

Conversation hijacking typically occurs in three stages:

  1. Gaining access to messages. To hijack a conversation, an attacker needs access to it in some form. To obtain this access, they can hack the account of one of the participants (for example, through social engineering, malware, network vulnerabilities, or leaked credentials). Armed with access to the account, they can create a rule to forward all messages from that account to the attacker’s mailbox in case access is taken away. An attacker can also hijack a conversation without hacking an account. For example, they can use malware to steal a victim’s emails stored on an infected device, or purchase the contents of someone’s mailbox on the dark web.
  2. Surveillance and information gathering. Once they have access to messages, the attacker studies them to get the information they need. This phase can last for days, weeks, or months while the attacker gathers all the information needed to make the deception convincing.
  3. Communication with the victim. The attacker initiates communication to obtain more information or get the victim to perform a certain action (for example, hand over sensitive data or make a money transfer). If the attacker has access to a hacked account of one of the participants, they can dupe the other party through impersonation. Alternatively, the attacker can message the victim from an address similar to the other party’s (for example, from a lookalike domain), counting on the victim not noticing the spoof. At this stage, the attacker may enter into a lengthy message exchange in the hope that the victim lets their guard down, or suggest switching to another platform that is not protected by corporate security tools.

Possible aims

Conversation hijacking is a targeted phishing attack that requires pre-planning by the perpetrator. The purpose can be:

  • Financial gain. Attackers intercept messages about an unfinalized deal, and persuade the victim to transfer money to an account they control.
  • Corporate account takeover. Attackers send a link to a phishing site under the guise of a work document that requires authorization under a corporate account.
  • Delivery of malware. Attackers send a malicious file disguised as a work document, project, presentation, etc.
  • Theft of confidential information. Attackers, posing as a colleague or partner of the victim, request confidential documents, private information about company projects, etc.