Vulnerabilities / Threats

5/12/2016
10:30 AM
Tim Helming
Tim Helming
Commentary
Connect Directly
Twitter
LinkedIn
RSS
E-Mail vvv
50%
50%

Phishing Fraud BECkons: Will You Fall Victim?

Why one company got caught in a Business Email Compromise (BEC) Attack -- and how yours can avoid the same fate.

There has been a lot of news in 2016 about a particular species of phish, the so-called Business Email Compromise (BEC). In this scenario, the attacker poses as an executive of a company, asking someone--usually a subordinate employee--to perform a wire transfer or similar action. When the employee complies and completes the transfer, the company realizes--too late--that it has just given a large payment to a criminal. An investment company in Troy, Michigan, recently lost $495,000 from a BEC phish, so this is not a small matter.

It even hit close to my (professional) home: DomainTools’ CFO recently received a spear phish purporting to come from our CEO, asking her to make a wire transfer of funds. The sending email address was a clever look-alike of “domaintools.com,” using some substituted characters. Fortunately our CFO is very savvy and knew right away that her boss wouldn’t actually make such a request in that way. But it underscores how common this kind of BEC phish is -- and how easy it is for criminals to spoof legitimate emails.

Besides the obvious pain this causes to companies and their employees, this attack trend is troubling on many other levels:

Social engineering: The above example notwithstanding, collectively, people are still quite vulnerable to social engineering attacks. In the BEC scenario, the attacker is able to convincingly pose as the executive, and in the strongest examples, the fiction goes beyond the simple “from” address on the email. The attacker can comb through publicly available information to get details about the personnel and sprinkle these into the email, suppressing the victim’s defenses.

Corporate culture: Many companies still have a very hierarchical culture, and many executives expect prompt and, in some cases, unquestioning compliance, to requests. Promptness is not a bad thing by itself, but automatic obedience can be dangerous.

Messaging technology: Relying on email filtering to catch phony emails is dangerous. Many BEC emails sail right past such defenses because they don’t carry some of the payloads that can get them flagged (such as malware attachments, dangerous links, etc). Email filtering technologies are necessary, but not sufficient, to protect against spear phishes.

As in so many disasters (and the loss of millions of dollars to fraud would constitute a disaster for any firm), there is often a chain of events that had to occur in a specific way for the fraud to succeed. So there is a silver lining here in that each factor has potential mitigations that can disrupt the attack. Some are quite simple.

Social engineering can be thwarted via education. It’s not realistic to expect that 100% of such attacks can be averted, but any improvement is worthwhile. This is one of the places where employee education can pay big dividends. Social engineering is a human problem, not a technological one, so it must be answered in human terms as well.

As far as corporate culture goes, companies would do well to take a cue from the aviation industry, where many accident investigations have concluded that unquestioning compliance with (faulty) captains’ orders contributed to the disaster. Today, airline and military crew members are encouraged to challenge orders from a captain if they believe them to be dangerous or flawed.

There is a valuable analogy in verifying and, if necessary, challenging corporate orders that carry high stakes. It can be as simple as picking up the phone or walking to an office to ask the superior if the request is legitimate. If the subordinate employee doesn’t feel comfortable doing so, they may be able to find a co-worker who will. It could prevent a tremendous loss.

Messaging security, especially spam/phishing detection, has made many advances over the years, and helps cut the “noise level” of illicit emails tremendously. And, given the prevalence of BECs, it’s possible that detection of such emails will improve. From the forensics standpoint, the “from” email address will often contain a look-alike, illicitly registered domain, so that the attacker can carry out a chain of communications with the victim; such domains can in some cases be blocked before they have “fired their first shot.” But the bottom line is that automated detection will never reach 100%, so the other links in the chain have to be as strong as possible.

If the first few months are any indication, the info security retrospectives at the end of 2016 will cite BECs as one of the big stories, along with ransomware and critical infrastructure attacks. Let’s hope that those stories also contain accounts of successful foiling of BECs. It’s a realistic (if ambitious) goal, but it demands appropriate attention and action.

Related content:

Tim Helming, DomainTools Director of Product Management, has over 15 years of experience in cybersecurity, from network to cloud to application attacks and defenses. At DomainTools, he applies this background to helping define and evangelize the company's growing portfolio of ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Kelly Jackson Higgins
50%
50%
Kelly Jackson Higgins,
User Rank: Strategist
5/12/2016 | 11:50:14 AM
Re: Amount Wrong
You are correct, @DerikK231. That has been corrected. Thank you!
DerikK231
50%
50%
DerikK231,
User Rank: Apprentice
5/12/2016 | 11:45:44 AM
Amount Wrong
Hey, in this article it claims the spearphishing attack stole $495 million, I believe the amount was only $495,000. Please check this number and revise the article.
Hacked IV Pumps and Digital Smart Pens Can Lead to Data Breaches
Dawn Kawamoto, Associate Editor, Dark Reading,  12/4/2017
Tips for Writing Better Infosec Job Descriptions
Kelly Sheridan, Associate Editor, Dark Reading,  12/4/2017
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
Managing Cyber-Risk
An online breach could have a huge impact on your organization. Here are some strategies for measuring and managing that risk.
Flash Poll
The State of Ransomware
The State of Ransomware
Ransomware has become one of the most prevalent new cybersecurity threats faced by today's enterprises. This new report from Dark Reading includes feedback from IT and IT security professionals about their organization's ransomware experiences, defense plans, and malware challenges. Find out what they had to say!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2017-0290
Published: 2017-05-09
NScript in mpengine in Microsoft Malware Protection Engine with Engine Version before 1.1.13704.0, as used in Windows Defender and other products, allows remote attackers to execute arbitrary code or cause a denial of service (type confusion and application crash) via crafted JavaScript code within ...

CVE-2016-10369
Published: 2017-05-08
unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (preventing terminal launch), or possibly have other impact (bypassing terminal access control).

CVE-2016-8202
Published: 2017-05-08
A privilege escalation vulnerability in Brocade Fibre Channel SAN products running Brocade Fabric OS (FOS) releases earlier than v7.4.1d and v8.0.1b could allow an authenticated attacker to elevate the privileges of user accounts accessing the system via command line interface. With affected version...

CVE-2016-8209
Published: 2017-05-08
Improper checks for unusual or exceptional conditions in Brocade NetIron 05.8.00 and later releases up to and including 06.1.00, when the Management Module is continuously scanned on port 22, may allow attackers to cause a denial of service (crash and reload) of the management module.

CVE-2017-0890
Published: 2017-05-08
Nextcloud Server before 11.0.3 is vulnerable to an inadequate escaping leading to a XSS vulnerability in the search module. To be exploitable a user has to write or paste malicious content into the search dialogue.