Attacks/Breaches

8/15/2017
04:00 PM
Connect Directly
Twitter
Twitter
RSS
E-Mail
50%
50%

BEC Attacks Don't Always Require Sophistication

Simple business email compromise scams can con companies out of huge sums of money and don't require much hacking or even social engineering know-how.

Business email compromise (BEC) attacks are eating enterprises alive with fraudulent wire transfers and banking activity. And to add insult to injury, in a lot of instances these attacks hardly require any level of sophistication to pull off. A new report out today from Check Point Research Team shows that a recent successful BEC campaign that targeted the oil-and-gas industry was carried out by a single individual.

"It’s particularly striking that his techniques display a low level of cyber-skills. His fraudulent emails are crude and unsophisticated; there is almost no research or social engineering involved in creating them," writes the Check Point Research Team. "What’s more, the malware he uses is old, generic and readily available online; and he uses freeware to ‘scrape’ email addresses from corporate websites which he then uses as targets for his campaigns."

In other words, there's no cybercriminal gang behind the months-long attack Check Point tracked. There's no complex black market supply chain or command structure. It's just a guy in his mid-20's armed with the NetWire Trojan and Hawkeye keylogging application, and with the guts to use a few phony Yahoo email accounts to go after 4,000 organizations worldwide. The researchers who tracked him say he managed to compromise several large organizations in the process. 

And therein lies the problem of BEC attacks, which can range from this low level of sophistication to very advanced with their targeting. According to the Cisco 2017 Midyear Cybersecurity Report, BEC attacks have managed to siphon off $5.3 billion in the past three years. The game is simple: compromise the account of someone who deals with large wire transfers or someone related to that person - a boss, customer or partner. That email compromise is then used to send a victim fraudulent wire instructions and the right lure to get them to voluntarily send money to a criminal's account. 

Learn from the industry’s most knowledgeable CISOs and IT security experts in a setting that is conducive to interaction and conversation. Click for more info and to register.

"Historically, business email compromise has been named as CEO compromise or CFO compromise, where an individual of high value within the company is being impersonated in order solicit information from the company," says Johannes Ulrich, director of the SANS Institute's Internet Storm Center (ISC) in a recent webcast about BEC attacks. But these days he says that larger user groups are being targeted with more automated BEC attacks that can cast a wider net. 

He points to what's going on with the realty industry, which is being targeted mercilessly up and down that food chain - from realtors to escrow agents and mortgage brokers. Realtors in particular are a good target because of a confluence of circumstances. They're often dealing with new customers and prospects so they're more receptive to exchanging information with strangers. They tend to use public webmail systems, document sharing service providers and electronic signature systems that are easy to spoof in order to phish information. And they're often technically unsophisticated and unsupported by any kind of corporate IT department. Most importantly, realtors are often a trusted go-between the client and escrow agents to send wire transfer information.

In one case Ulrich was pointed, to a realtor who had received an introductory email from a supposed prospect who asked him what he'd need to get started looking for the house. Once the realtor responded, the fraud sent an email with a link that supposedly went to a bank pre-approval letter on a Google Drive. Where it actually went was a fake login screen for harvesting Google account information.

"It’s very possible that these first couple of emails were automated," he says. "Given that these first couple of interactions are somewhat predictable, I wouldn't be surprised if there is a script that harvests realtor databases, looks at email addresses, automatically sends introductory emails and sends a link to the malicious PDF to whatever the realtor responds to."

In this instance the realtor wasn't fooled and forwarded it to the ISC. But if they had gained credentials, the next steps would have been to start reading the realtor's emails and wait for a customer asking for account information to wire money out for a real estate purchase. At that point it would be trivial for the BEC attacker to send the customer bad account details so they’ll transfer money to the fraudster's account rather than the person they're trying to purchase property from.

This is just one in a whole smorgasbord of creative ways to pull off a BEC attack, but it is a good example of how a simple email compromise could lead to tens or even hundreds of thousands of dollars in fraudulent wire transfers that are often difficult to reverse.

Even more scary, because BEC often doesn't use any kind of complicated hack to carry out, it may not even be covered by cyber insurance. Just this month, news broke of a recent judgment on a case between a tool and die manufacturer and Travelers Insurance. American Tooling Center lost $800,000 in a BEC scam when it was trolled by a fraudster to send money for some legitimate invoices owed to a vendor using fraudulent wire transfer information sent using a compromised email account. The court agreed with Travelers that there "was no infiltration or 'hacking' of ATC's computer system," and therefore the attack was ineligible for coverage, according to a recent report from Business Insurance magazine.

Related Content:

Ericka Chickowski specializes in coverage of information technology and business innovation. She has focused on information security for the better part of a decade and regularly writes about the security industry as a contributor to Dark Reading.  View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
REISEN1955
50%
50%
REISEN1955,
User Rank: Ninja
8/18/2017 | 8:05:01 AM
Re: Multi-Layered Protection
Yes indeed - once we pull humans out of the equation, and also users so our networks have no fingers on the keyboards - ONLY then will we have perfect security!!!
rdusek483
50%
50%
rdusek483,
User Rank: Apprentice
8/16/2017 | 4:02:44 PM
Re: Multi-Layered Protection
yup, once the machines get rid of those pesky humans they will be able to feel more secure, right?
HalL570
50%
50%
HalL570,
User Rank: Author
8/16/2017 | 3:27:52 PM
Multi-Layered Protection
This article is absolutely right on that humans are always the weakest links in security matters.  Good endpoint and network security are critical, especially defenses against phishing attacks. However, there's no single silver bullet, and user security awareness and education should be a key part of any organization's security strategy. 
12 Free, Ready-to-Use Security Tools
Steve Zurier, Freelance Writer,  10/12/2018
Most IT Security Pros Want to Change Jobs
Dark Reading Staff 10/12/2018
6 Security Trends for 2018/2019
Curtis Franklin Jr., Senior Editor at Dark Reading,  10/15/2018
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
Flash Poll
The Risk Management Struggle
The Risk Management Struggle
The majority of organizations are struggling to implement a risk-based approach to security even though risk reduction has become the primary metric for measuring the effectiveness of enterprise security strategies. Read the report and get more details today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2018-10839
PUBLISHED: 2018-10-16
Qemu emulator <= 3.0.0 built with the NE2000 NIC emulation support is vulnerable to an integer overflow, which could lead to buffer overflow issue. It could occur when receiving packets over the network. A user inside guest could use this flaw to crash the Qemu process resulting in DoS.
CVE-2018-13399
PUBLISHED: 2018-10-16
The Microsoft Windows Installer for Atlassian Fisheye and Crucible before version 4.6.1 allows local attackers to escalate privileges because of weak permissions on the installation directory.
CVE-2018-18381
PUBLISHED: 2018-10-16
Z-BlogPHP 1.5.2.1935 (Zero) has a stored XSS Vulnerability in zb_system/function/c_system_admin.php via the Content-Type header during the uploading of image attachments.
CVE-2018-18382
PUBLISHED: 2018-10-16
Advanced HRM 1.6 allows Remote Code Execution via PHP code in a .php file to the user/update-user-avatar URI, which can be accessed through an "Update Profile" "Change Picture" (aka user/edit-profile) action.
CVE-2018-18374
PUBLISHED: 2018-10-16
XSS exists in the MetInfo 6.1.2 admin/index.php page via the anyid parameter.