Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

8/15/2017
04:00 PM
Connect Directly
Twitter
RSS
E-Mail
50%
50%

BEC Attacks Don't Always Require Sophistication

Simple business email compromise scams can con companies out of huge sums of money and don't require much hacking or even social engineering know-how.

Business email compromise (BEC) attacks are eating enterprises alive with fraudulent wire transfers and banking activity. And to add insult to injury, in a lot of instances these attacks hardly require any level of sophistication to pull off. A new report out today from Check Point Research Team shows that a recent successful BEC campaign that targeted the oil-and-gas industry was carried out by a single individual.

"It’s particularly striking that his techniques display a low level of cyber-skills. His fraudulent emails are crude and unsophisticated; there is almost no research or social engineering involved in creating them," writes the Check Point Research Team. "What’s more, the malware he uses is old, generic and readily available online; and he uses freeware to ‘scrape’ email addresses from corporate websites which he then uses as targets for his campaigns."

In other words, there's no cybercriminal gang behind the months-long attack Check Point tracked. There's no complex black market supply chain or command structure. It's just a guy in his mid-20's armed with the NetWire Trojan and Hawkeye keylogging application, and with the guts to use a few phony Yahoo email accounts to go after 4,000 organizations worldwide. The researchers who tracked him say he managed to compromise several large organizations in the process. 

And therein lies the problem of BEC attacks, which can range from this low level of sophistication to very advanced with their targeting. According to the Cisco 2017 Midyear Cybersecurity Report, BEC attacks have managed to siphon off $5.3 billion in the past three years. The game is simple: compromise the account of someone who deals with large wire transfers or someone related to that person - a boss, customer or partner. That email compromise is then used to send a victim fraudulent wire instructions and the right lure to get them to voluntarily send money to a criminal's account. 

Learn from the industry’s most knowledgeable CISOs and IT security experts in a setting that is conducive to interaction and conversation. Click for more info and to register.

"Historically, business email compromise has been named as CEO compromise or CFO compromise, where an individual of high value within the company is being impersonated in order solicit information from the company," says Johannes Ulrich, director of the SANS Institute's Internet Storm Center (ISC) in a recent webcast about BEC attacks. But these days he says that larger user groups are being targeted with more automated BEC attacks that can cast a wider net. 

He points to what's going on with the realty industry, which is being targeted mercilessly up and down that food chain - from realtors to escrow agents and mortgage brokers. Realtors in particular are a good target because of a confluence of circumstances. They're often dealing with new customers and prospects so they're more receptive to exchanging information with strangers. They tend to use public webmail systems, document sharing service providers and electronic signature systems that are easy to spoof in order to phish information. And they're often technically unsophisticated and unsupported by any kind of corporate IT department. Most importantly, realtors are often a trusted go-between the client and escrow agents to send wire transfer information.

In one case Ulrich was pointed, to a realtor who had received an introductory email from a supposed prospect who asked him what he'd need to get started looking for the house. Once the realtor responded, the fraud sent an email with a link that supposedly went to a bank pre-approval letter on a Google Drive. Where it actually went was a fake login screen for harvesting Google account information.

"It’s very possible that these first couple of emails were automated," he says. "Given that these first couple of interactions are somewhat predictable, I wouldn't be surprised if there is a script that harvests realtor databases, looks at email addresses, automatically sends introductory emails and sends a link to the malicious PDF to whatever the realtor responds to."

In this instance the realtor wasn't fooled and forwarded it to the ISC. But if they had gained credentials, the next steps would have been to start reading the realtor's emails and wait for a customer asking for account information to wire money out for a real estate purchase. At that point it would be trivial for the BEC attacker to send the customer bad account details so they’ll transfer money to the fraudster's account rather than the person they're trying to purchase property from.

This is just one in a whole smorgasbord of creative ways to pull off a BEC attack, but it is a good example of how a simple email compromise could lead to tens or even hundreds of thousands of dollars in fraudulent wire transfers that are often difficult to reverse.

Even more scary, because BEC often doesn't use any kind of complicated hack to carry out, it may not even be covered by cyber insurance. Just this month, news broke of a recent judgment on a case between a tool and die manufacturer and Travelers Insurance. American Tooling Center lost $800,000 in a BEC scam when it was trolled by a fraudster to send money for some legitimate invoices owed to a vendor using fraudulent wire transfer information sent using a compromised email account. The court agreed with Travelers that there "was no infiltration or 'hacking' of ATC's computer system," and therefore the attack was ineligible for coverage, according to a recent report from Business Insurance magazine.

Related Content:

Ericka Chickowski specializes in coverage of information technology and business innovation. She has focused on information security for the better part of a decade and regularly writes about the security industry as a contributor to Dark Reading.  View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
REISEN1955
50%
50%
REISEN1955,
User Rank: Ninja
8/18/2017 | 8:05:01 AM
Re: Multi-Layered Protection
Yes indeed - once we pull humans out of the equation, and also users so our networks have no fingers on the keyboards - ONLY then will we have perfect security!!!
rdusek483
50%
50%
rdusek483,
User Rank: Apprentice
8/16/2017 | 4:02:44 PM
Re: Multi-Layered Protection
yup, once the machines get rid of those pesky humans they will be able to feel more secure, right?
HalL570
50%
50%
HalL570,
User Rank: Author
8/16/2017 | 3:27:52 PM
Multi-Layered Protection
This article is absolutely right on that humans are always the weakest links in security matters.  Good endpoint and network security are critical, especially defenses against phishing attacks. However, there's no single silver bullet, and user security awareness and education should be a key part of any organization's security strategy. 
Data Leak Week: Billions of Sensitive Files Exposed Online
Kelly Jackson Higgins, Executive Editor at Dark Reading,  12/10/2019
Lessons from the NSA: Know Your Assets
Robert Lemos, Contributing Writer,  12/12/2019
4 Tips to Run Fast in the Face of Digital Transformation
Shane Buckley, President & Chief Operating Officer, Gigamon,  12/9/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
The Year in Security: 2019
This Tech Digest provides a wrap up and overview of the year's top cybersecurity news stories. It was a year of new twists on old threats, with fears of another WannaCry-type worm and of a possible botnet army of Wi-Fi routers. But 2019 also underscored the risk of firmware and trusted security tools harboring dangerous holes that cybercriminals and nation-state hackers could readily abuse. Read more.
Flash Poll
Rethinking Enterprise Data Defense
Rethinking Enterprise Data Defense
Frustrated with recurring intrusions and breaches, cybersecurity professionals are questioning some of the industrys conventional wisdom. Heres a look at what theyre thinking about.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-5252
PUBLISHED: 2019-12-14
There is an improper authentication vulnerability in Huawei smartphones (Y9, Honor 8X, Honor 9 Lite, Honor 9i, Y6 Pro). The applock does not perform a sufficient authentication in a rare condition. Successful exploit could allow the attacker to use the application locked by applock in an instant.
CVE-2019-5235
PUBLISHED: 2019-12-14
Some Huawei smart phones have a null pointer dereference vulnerability. An attacker crafts specific packets and sends to the affected product to exploit this vulnerability. Successful exploitation may cause the affected phone to be abnormal.
CVE-2019-5264
PUBLISHED: 2019-12-13
There is an information disclosure vulnerability in certain Huawei smartphones (Mate 10;Mate 10 Pro;Honor V10;Changxiang 7S;P-smart;Changxiang 8 Plus;Y9 2018;Honor 9 Lite;Honor 9i;Mate 9). The software does not properly handle certain information of applications locked by applock in a rare condition...
CVE-2019-5277
PUBLISHED: 2019-12-13
Huawei CloudUSM-EUA V600R006C10;V600R019C00 have an information leak vulnerability. Due to improper configuration, the attacker may cause information leak by successful exploitation.
CVE-2019-5254
PUBLISHED: 2019-12-13
Certain Huawei products (AP2000;IPS Module;NGFW Module;NIP6300;NIP6600;NIP6800;S5700;SVN5600;SVN5800;SVN5800-C;SeMG9811;Secospace AntiDDoS8000;Secospace USG6300;Secospace USG6500;Secospace USG6600;USG6000V;eSpace U1981) have an out-of-bounds read vulnerability. An attacker who logs in to the board m...