Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

8/15/2017
04:00 PM
Connect Directly
Twitter
Twitter
RSS
E-Mail
50%
50%

BEC Attacks Don't Always Require Sophistication

Simple business email compromise scams can con companies out of huge sums of money and don't require much hacking or even social engineering know-how.

Business email compromise (BEC) attacks are eating enterprises alive with fraudulent wire transfers and banking activity. And to add insult to injury, in a lot of instances these attacks hardly require any level of sophistication to pull off. A new report out today from Check Point Research Team shows that a recent successful BEC campaign that targeted the oil-and-gas industry was carried out by a single individual.

"It’s particularly striking that his techniques display a low level of cyber-skills. His fraudulent emails are crude and unsophisticated; there is almost no research or social engineering involved in creating them," writes the Check Point Research Team. "What’s more, the malware he uses is old, generic and readily available online; and he uses freeware to ‘scrape’ email addresses from corporate websites which he then uses as targets for his campaigns."

In other words, there's no cybercriminal gang behind the months-long attack Check Point tracked. There's no complex black market supply chain or command structure. It's just a guy in his mid-20's armed with the NetWire Trojan and Hawkeye keylogging application, and with the guts to use a few phony Yahoo email accounts to go after 4,000 organizations worldwide. The researchers who tracked him say he managed to compromise several large organizations in the process. 

And therein lies the problem of BEC attacks, which can range from this low level of sophistication to very advanced with their targeting. According to the Cisco 2017 Midyear Cybersecurity Report, BEC attacks have managed to siphon off $5.3 billion in the past three years. The game is simple: compromise the account of someone who deals with large wire transfers or someone related to that person - a boss, customer or partner. That email compromise is then used to send a victim fraudulent wire instructions and the right lure to get them to voluntarily send money to a criminal's account. 

Learn from the industry’s most knowledgeable CISOs and IT security experts in a setting that is conducive to interaction and conversation. Click for more info and to register.

"Historically, business email compromise has been named as CEO compromise or CFO compromise, where an individual of high value within the company is being impersonated in order solicit information from the company," says Johannes Ulrich, director of the SANS Institute's Internet Storm Center (ISC) in a recent webcast about BEC attacks. But these days he says that larger user groups are being targeted with more automated BEC attacks that can cast a wider net. 

He points to what's going on with the realty industry, which is being targeted mercilessly up and down that food chain - from realtors to escrow agents and mortgage brokers. Realtors in particular are a good target because of a confluence of circumstances. They're often dealing with new customers and prospects so they're more receptive to exchanging information with strangers. They tend to use public webmail systems, document sharing service providers and electronic signature systems that are easy to spoof in order to phish information. And they're often technically unsophisticated and unsupported by any kind of corporate IT department. Most importantly, realtors are often a trusted go-between the client and escrow agents to send wire transfer information.

In one case Ulrich was pointed, to a realtor who had received an introductory email from a supposed prospect who asked him what he'd need to get started looking for the house. Once the realtor responded, the fraud sent an email with a link that supposedly went to a bank pre-approval letter on a Google Drive. Where it actually went was a fake login screen for harvesting Google account information.

"It’s very possible that these first couple of emails were automated," he says. "Given that these first couple of interactions are somewhat predictable, I wouldn't be surprised if there is a script that harvests realtor databases, looks at email addresses, automatically sends introductory emails and sends a link to the malicious PDF to whatever the realtor responds to."

In this instance the realtor wasn't fooled and forwarded it to the ISC. But if they had gained credentials, the next steps would have been to start reading the realtor's emails and wait for a customer asking for account information to wire money out for a real estate purchase. At that point it would be trivial for the BEC attacker to send the customer bad account details so they’ll transfer money to the fraudster's account rather than the person they're trying to purchase property from.

This is just one in a whole smorgasbord of creative ways to pull off a BEC attack, but it is a good example of how a simple email compromise could lead to tens or even hundreds of thousands of dollars in fraudulent wire transfers that are often difficult to reverse.

Even more scary, because BEC often doesn't use any kind of complicated hack to carry out, it may not even be covered by cyber insurance. Just this month, news broke of a recent judgment on a case between a tool and die manufacturer and Travelers Insurance. American Tooling Center lost $800,000 in a BEC scam when it was trolled by a fraudster to send money for some legitimate invoices owed to a vendor using fraudulent wire transfer information sent using a compromised email account. The court agreed with Travelers that there "was no infiltration or 'hacking' of ATC's computer system," and therefore the attack was ineligible for coverage, according to a recent report from Business Insurance magazine.

Related Content:

Ericka Chickowski specializes in coverage of information technology and business innovation. She has focused on information security for the better part of a decade and regularly writes about the security industry as a contributor to Dark Reading.  View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
REISEN1955
50%
50%
REISEN1955,
User Rank: Ninja
8/18/2017 | 8:05:01 AM
Re: Multi-Layered Protection
Yes indeed - once we pull humans out of the equation, and also users so our networks have no fingers on the keyboards - ONLY then will we have perfect security!!!
rdusek483
50%
50%
rdusek483,
User Rank: Apprentice
8/16/2017 | 4:02:44 PM
Re: Multi-Layered Protection
yup, once the machines get rid of those pesky humans they will be able to feel more secure, right?
HalL570
50%
50%
HalL570,
User Rank: Author
8/16/2017 | 3:27:52 PM
Multi-Layered Protection
This article is absolutely right on that humans are always the weakest links in security matters.  Good endpoint and network security are critical, especially defenses against phishing attacks. However, there's no single silver bullet, and user security awareness and education should be a key part of any organization's security strategy. 
The Problem with Proprietary Testing: NSS Labs vs. CrowdStrike
Brian Monkman, Executive Director at NetSecOPEN,  7/19/2019
RDP Bug Takes New Approach to Host Compromise
Kelly Sheridan, Staff Editor, Dark Reading,  7/18/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Building and Managing an IT Security Operations Program
As cyber threats grow, many organizations are building security operations centers (SOCs) to improve their defenses. In this Tech Digest you will learn tips on how to get the most out of a SOC in your organization - and what to do if you can't afford to build one.
Flash Poll
The State of IT Operations and Cybersecurity Operations
The State of IT Operations and Cybersecurity Operations
Your enterprise's cyber risk may depend upon the relationship between the IT team and the security team. Heres some insight on what's working and what isn't in the data center.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-14248
PUBLISHED: 2019-07-24
In libnasm.a in Netwide Assembler (NASM) 2.14.xx, asm/pragma.c allows a NULL pointer dereference in process_pragma, search_pragma_list, and nasm_set_limit when "%pragma limit" is mishandled.
CVE-2019-14249
PUBLISHED: 2019-07-24
dwarf_elf_load_headers.c in libdwarf before 2019-07-05 allows attackers to cause a denial of service (division by zero) via an ELF file with a zero-size section group (SHT_GROUP), as demonstrated by dwarfdump.
CVE-2019-14250
PUBLISHED: 2019-07-24
An issue was discovered in GNU libiberty, as distributed in GNU Binutils 2.32. simple_object_elf_match in simple-object-elf.c does not check for a zero shstrndx value, leading to an integer overflow and resultant heap-based buffer overflow.
CVE-2019-14247
PUBLISHED: 2019-07-24
The scan() function in mad.c in mpg321 0.3.2 allows remote attackers to trigger an out-of-bounds write via a zero bitrate in an MP3 file.
CVE-2019-2873
PUBLISHED: 2019-07-23
Vulnerability in the Oracle VM VirtualBox component of Oracle Virtualization (subcomponent: Core). Supported versions that are affected are Prior to 5.2.32 and prior to 6.0.10. Easily exploitable vulnerability allows low privileged attacker with logon to the infrastructure where Oracle VM VirtualBox...