Attacks/Breaches

8/15/2017
04:00 PM
Connect Directly
Twitter
Twitter
RSS
E-Mail
50%
50%

BEC Attacks Don't Always Require Sophistication

Simple business email compromise scams can con companies out of huge sums of money and don't require much hacking or even social engineering know-how.

Business email compromise (BEC) attacks are eating enterprises alive with fraudulent wire transfers and banking activity. And to add insult to injury, in a lot of instances these attacks hardly require any level of sophistication to pull off. A new report out today from Check Point Research Team shows that a recent successful BEC campaign that targeted the oil-and-gas industry was carried out by a single individual.

"It’s particularly striking that his techniques display a low level of cyber-skills. His fraudulent emails are crude and unsophisticated; there is almost no research or social engineering involved in creating them," writes the Check Point Research Team. "What’s more, the malware he uses is old, generic and readily available online; and he uses freeware to ‘scrape’ email addresses from corporate websites which he then uses as targets for his campaigns."

In other words, there's no cybercriminal gang behind the months-long attack Check Point tracked. There's no complex black market supply chain or command structure. It's just a guy in his mid-20's armed with the NetWire Trojan and Hawkeye keylogging application, and with the guts to use a few phony Yahoo email accounts to go after 4,000 organizations worldwide. The researchers who tracked him say he managed to compromise several large organizations in the process. 

And therein lies the problem of BEC attacks, which can range from this low level of sophistication to very advanced with their targeting. According to the Cisco 2017 Midyear Cybersecurity Report, BEC attacks have managed to siphon off $5.3 billion in the past three years. The game is simple: compromise the account of someone who deals with large wire transfers or someone related to that person - a boss, customer or partner. That email compromise is then used to send a victim fraudulent wire instructions and the right lure to get them to voluntarily send money to a criminal's account. 

Learn from the industry’s most knowledgeable CISOs and IT security experts in a setting that is conducive to interaction and conversation. Click for more info and to register.

"Historically, business email compromise has been named as CEO compromise or CFO compromise, where an individual of high value within the company is being impersonated in order solicit information from the company," says Johannes Ulrich, director of the SANS Institute's Internet Storm Center (ISC) in a recent webcast about BEC attacks. But these days he says that larger user groups are being targeted with more automated BEC attacks that can cast a wider net. 

He points to what's going on with the realty industry, which is being targeted mercilessly up and down that food chain - from realtors to escrow agents and mortgage brokers. Realtors in particular are a good target because of a confluence of circumstances. They're often dealing with new customers and prospects so they're more receptive to exchanging information with strangers. They tend to use public webmail systems, document sharing service providers and electronic signature systems that are easy to spoof in order to phish information. And they're often technically unsophisticated and unsupported by any kind of corporate IT department. Most importantly, realtors are often a trusted go-between the client and escrow agents to send wire transfer information.

In one case Ulrich was pointed, to a realtor who had received an introductory email from a supposed prospect who asked him what he'd need to get started looking for the house. Once the realtor responded, the fraud sent an email with a link that supposedly went to a bank pre-approval letter on a Google Drive. Where it actually went was a fake login screen for harvesting Google account information.

"It’s very possible that these first couple of emails were automated," he says. "Given that these first couple of interactions are somewhat predictable, I wouldn't be surprised if there is a script that harvests realtor databases, looks at email addresses, automatically sends introductory emails and sends a link to the malicious PDF to whatever the realtor responds to."

In this instance the realtor wasn't fooled and forwarded it to the ISC. But if they had gained credentials, the next steps would have been to start reading the realtor's emails and wait for a customer asking for account information to wire money out for a real estate purchase. At that point it would be trivial for the BEC attacker to send the customer bad account details so they’ll transfer money to the fraudster's account rather than the person they're trying to purchase property from.

This is just one in a whole smorgasbord of creative ways to pull off a BEC attack, but it is a good example of how a simple email compromise could lead to tens or even hundreds of thousands of dollars in fraudulent wire transfers that are often difficult to reverse.

Even more scary, because BEC often doesn't use any kind of complicated hack to carry out, it may not even be covered by cyber insurance. Just this month, news broke of a recent judgment on a case between a tool and die manufacturer and Travelers Insurance. American Tooling Center lost $800,000 in a BEC scam when it was trolled by a fraudster to send money for some legitimate invoices owed to a vendor using fraudulent wire transfer information sent using a compromised email account. The court agreed with Travelers that there "was no infiltration or 'hacking' of ATC's computer system," and therefore the attack was ineligible for coverage, according to a recent report from Business Insurance magazine.

Related Content:

Ericka Chickowski specializes in coverage of information technology and business innovation. She has focused on information security for the better part of a decade and regularly writes about the security industry as a contributor to Dark Reading.  View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
REISEN1955
50%
50%
REISEN1955,
User Rank: Ninja
8/18/2017 | 8:05:01 AM
Re: Multi-Layered Protection
Yes indeed - once we pull humans out of the equation, and also users so our networks have no fingers on the keyboards - ONLY then will we have perfect security!!!
rdusek483
50%
50%
rdusek483,
User Rank: Apprentice
8/16/2017 | 4:02:44 PM
Re: Multi-Layered Protection
yup, once the machines get rid of those pesky humans they will be able to feel more secure, right?
HalL570
50%
50%
HalL570,
User Rank: Author
8/16/2017 | 3:27:52 PM
Multi-Layered Protection
This article is absolutely right on that humans are always the weakest links in security matters.  Good endpoint and network security are critical, especially defenses against phishing attacks. However, there's no single silver bullet, and user security awareness and education should be a key part of any organization's security strategy. 
Election Websites, Back-End Systems Most at Risk of Cyberattack in Midterms
Kelly Jackson Higgins, Executive Editor at Dark Reading,  8/14/2018
Intel Reveals New Spectre-Like Vulnerability
Curtis Franklin Jr., Senior Editor at Dark Reading,  8/15/2018
Australian Teen Hacked Apple Network
Dark Reading Staff 8/17/2018
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2018-15504
PUBLISHED: 2018-08-18
An issue was discovered in Embedthis GoAhead before 4.0.1 and Appweb before 7.0.2. The server mishandles some HTTP request fields associated with time, which results in a NULL pointer dereference, as demonstrated by If-Modified-Since or If-Unmodified-Since with a month greater than 11.
CVE-2018-15505
PUBLISHED: 2018-08-18
An issue was discovered in Embedthis GoAhead before 4.0.1 and Appweb before 7.0.2. An HTTP POST request with a specially crafted "Host" header field may cause a NULL pointer dereference and thus cause a denial of service, as demonstrated by the lack of a trailing ']' character in an IPv6 a...
CVE-2018-15492
PUBLISHED: 2018-08-18
A vulnerability in the lservnt.exe component of Sentinel License Manager version 8.5.3.35 (fixed in 8.5.3.2403) causes UDP amplification.
CVE-2018-15494
PUBLISHED: 2018-08-18
In Dojo Toolkit before 1.14, there is unescaped string injection in dojox/Grid/DataGrid.
CVE-2018-15495
PUBLISHED: 2018-08-18
/filemanager/upload.php in Responsive FileManager before 9.13.3 allows Directory Traversal and SSRF because the url parameter is used directly in a curl_exec call, as demonstrated by a file:///etc/passwd value.