Business email compromise (BEC) attacks are eating enterprises alive with fraudulent wire transfers and banking activity. And to add insult to injury, in a lot of instances these attacks hardly require any level of sophistication to pull off. A new report out today from Check Point Research Team shows that a recent successful BEC campaign that targeted the oil-and-gas industry was carried out by a single individual.
"It’s particularly striking that his techniques display a low level of cyber-skills. His fraudulent emails are crude and unsophisticated; there is almost no research or social engineering involved in creating them," writes the Check Point Research Team. "What’s more, the malware he uses is old, generic and readily available online; and he uses freeware to ‘scrape’ email addresses from corporate websites which he then uses as targets for his campaigns."
In other words, there's no cybercriminal gang behind the months-long attack Check Point tracked. There's no complex black market supply chain or command structure. It's just a guy in his mid-20's armed with the NetWire Trojan and Hawkeye keylogging application, and with the guts to use a few phony Yahoo email accounts to go after 4,000 organizations worldwide. The researchers who tracked him say he managed to compromise several large organizations in the process.
And therein lies the problem of BEC attacks, which can range from this low level of sophistication to very advanced with their targeting. According to the Cisco 2017 Midyear Cybersecurity Report, BEC attacks have managed to siphon off $5.3 billion in the past three years. The game is simple: compromise the account of someone who deals with large wire transfers or someone related to that person - a boss, customer or partner. That email compromise is then used to send a victim fraudulent wire instructions and the right lure to get them to voluntarily send money to a criminal's account.
"Historically, business email compromise has been named as CEO compromise or CFO compromise, where an individual of high value within the company is being impersonated in order solicit information from the company," says Johannes Ulrich, director of the SANS Institute's Internet Storm Center (ISC) in a recent webcast about BEC attacks. But these days he says that larger user groups are being targeted with more automated BEC attacks that can cast a wider net.
He points to what's going on with the realty industry, which is being targeted mercilessly up and down that food chain - from realtors to escrow agents and mortgage brokers. Realtors in particular are a good target because of a confluence of circumstances. They're often dealing with new customers and prospects so they're more receptive to exchanging information with strangers. They tend to use public webmail systems, document sharing service providers and electronic signature systems that are easy to spoof in order to phish information. And they're often technically unsophisticated and unsupported by any kind of corporate IT department. Most importantly, realtors are often a trusted go-between the client and escrow agents to send wire transfer information.
In one case Ulrich was pointed, to a realtor who had received an introductory email from a supposed prospect who asked him what he'd need to get started looking for the house. Once the realtor responded, the fraud sent an email with a link that supposedly went to a bank pre-approval letter on a Google Drive. Where it actually went was a fake login screen for harvesting Google account information.
"It’s very possible that these first couple of emails were automated," he says. "Given that these first couple of interactions are somewhat predictable, I wouldn't be surprised if there is a script that harvests realtor databases, looks at email addresses, automatically sends introductory emails and sends a link to the malicious PDF to whatever the realtor responds to."
In this instance the realtor wasn't fooled and forwarded it to the ISC. But if they had gained credentials, the next steps would have been to start reading the realtor's emails and wait for a customer asking for account information to wire money out for a real estate purchase. At that point it would be trivial for the BEC attacker to send the customer bad account details so they’ll transfer money to the fraudster's account rather than the person they're trying to purchase property from.
This is just one in a whole smorgasbord of creative ways to pull off a BEC attack, but it is a good example of how a simple email compromise could lead to tens or even hundreds of thousands of dollars in fraudulent wire transfers that are often difficult to reverse.
Even more scary, because BEC often doesn't use any kind of complicated hack to carry out, it may not even be covered by cyber insurance. Just this month, news broke of a recent judgment on a case between a tool and die manufacturer and Travelers Insurance. American Tooling Center lost $800,000 in a BEC scam when it was trolled by a fraudster to send money for some legitimate invoices owed to a vendor using fraudulent wire transfer information sent using a compromised email account. The court agreed with Travelers that there "was no infiltration or 'hacking' of ATC's computer system," and therefore the attack was ineligible for coverage, according to a recent report from Business Insurance magazine.