Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

1/16/2019
02:15 PM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
50%
50%

BEC Groups Ramp Up Payroll Diversion Attacks

Criminals are increasingly trying to defraud businesses by diverting payrolls of CEOs, other senior executives, Agari says.

Attackers are ramping up efforts to try and scam HR employees at many businesses into diverting the payrolls of CEOs and other highly compensated executives to fraudulent accounts.

Security vendor Agari says it has observed a recent and considerable increase in such payroll diversion attempts via social engineering. The criminal gangs behind these scams appear to have invested considerable resources into understanding organizational hierarchies and knowing exactly whom to target, Agari said in a report this week.

"Payroll diversion has become an emerging threat during the past year," says Crane Hassold, senior director of threat research at Agari. The attacks began ramping up in Q4 2018 and are the latest evolution in business email compromise (BEC) scams, he says.

"Unlike traditional BEC attacks, which are starting to raise red flags with financial institutions, payroll diversion attacks eliminate the interaction with banks because it is a direct deposit instead of a wire transfer," he says.

The typical modus operandi in these scams is for the attacker to assume the identity of the CEO by setting up an email account in the name of the executive. The adversary then sends an email to a previously identified individual within the HR or finance function requesting a change in the existing direct deposit account details and inquiring about what's needed to process the change. The threat actors often are not fazed when asked to provide a voided check displaying the new account's details, and often can provide it. If the scam is successful, the payroll of the executive that was impersonated gets diverted to the attacker-held account.

The payroll diversion approach eliminates the need for attackers to deal with a third-party system, thereby allowing for greater control over the whole process, Agari researchers said. "We’ve observed this type of attack targeting a variety of employees, but the majority target C-suite individuals because the monetary payoff is much greater," says Hassold.

The attacks are scalable in the sense that adversaries can conduct them against a large number of targets at different companies. But the likelihood that the attackers would select multiple targets at the same company is low because of the red flags that it would raise, he said.

BEC attacks have been around for several years and continue to be a potent threat for most organizations. Originally, BEC involved attacks in which an adversary either tricked an individual with signing authority at a company into wire-transferring funds to an attacker-held account, or hijacked an account to achieve the same objective.

As organizations have become savvier about such BEC scams, adversaries have kept introducing new twists as well. In December for instance, security researchers observed a new trend in which threat actors impersonating CEOs tried to get office managers and others with similar authority to purchase gift cards for employees. Though losses from gift card BEC attacks have been relatively small so far in the US—at around $1 million—the scam illustrates how criminal groups have kept trying different ruses to try and defraud businesses.

According to the FBI, the reported global loss from BEC attacks between October 2013 and May 2018 was some $12 billion. The scam has been reported in 150 countries and continues to grow and evolve, the FBI has noted. The agency has described BEC as a threat that impacts organizations of all sizes.

BEC shows how cyber attacks are increasingly leveraging social engineering instead of technical exploits, Hassold notes. "BEC has become a staple in cyberattacks for scammers because they are very easy to deploy [and] require very little technical expertise or knowledge," he says.

Importantly, the success rate does not need to be very high for BEC to be profitable. "If even one percent of 1,000 attacks is successful, it could generate hundreds of thousands of dollars," for the criminals, Hassold says.

Related Content:

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
7 Truths About BEC Scams
Ericka Chickowski, Contributing Writer,  6/13/2019
DNS Firewalls Could Prevent Billions in Losses to Cybercrime
Curtis Franklin Jr., Senior Editor at Dark Reading,  6/13/2019
Can Your Patching Strategy Keep Up with the Demands of Open Source?
Tim Mackey, Principal Security Strategist, CyRC, at Synopsys,  6/18/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Building and Managing an IT Security Operations Program
As cyber threats grow, many organizations are building security operations centers (SOCs) to improve their defenses. In this Tech Digest you will learn tips on how to get the most out of a SOC in your organization - and what to do if you can't afford to build one.
Flash Poll
The State of IT Operations and Cybersecurity Operations
The State of IT Operations and Cybersecurity Operations
Your enterprise's cyber risk may depend upon the relationship between the IT team and the security team. Heres some insight on what's working and what isn't in the data center.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-2729
PUBLISHED: 2019-06-19
Vulnerability in the Oracle WebLogic Server component of Oracle Fusion Middleware (subcomponent: Web Services). Supported versions that are affected are 10.3.6.0.0, 12.1.3.0.0 and 12.2.1.3.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise ...
CVE-2019-3737
PUBLISHED: 2019-06-19
Dell EMC Avamar ADMe Web Interface 1.0.50 and 1.0.51 are affected by an LFI vulnerability which may allow a malicious user to download arbitrary files from the affected system by sending a specially crafted request to the Web Interface application.
CVE-2019-3787
PUBLISHED: 2019-06-19
Cloud Foundry UAA, versions prior to 73.0.0, falls back to appending ?unknown.org? to a user's email address when one is not provided and the user name does not contain an @ character. This domain is held by a private company, which leads to attack vectors including password recovery emails sent to ...
CVE-2019-12900
PUBLISHED: 2019-06-19
BZ2_decompress in decompress.c in bzip2 through 1.0.6 has an out-of-bounds write when there are many selectors.
CVE-2019-12893
PUBLISHED: 2019-06-19
Alternate Pic View 2.600 has a User Mode Write AV starting at PicViewer!PerfgrapFinalize+0x00000000000a8868.