Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

1/16/2019
02:15 PM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
50%
50%

BEC Groups Ramp Up Payroll Diversion Attacks

Criminals are increasingly trying to defraud businesses by diverting payrolls of CEOs, other senior executives, Agari says.

Attackers are ramping up efforts to try and scam HR employees at many businesses into diverting the payrolls of CEOs and other highly compensated executives to fraudulent accounts.

Security vendor Agari says it has observed a recent and considerable increase in such payroll diversion attempts via social engineering. The criminal gangs behind these scams appear to have invested considerable resources into understanding organizational hierarchies and knowing exactly whom to target, Agari said in a report this week.

"Payroll diversion has become an emerging threat during the past year," says Crane Hassold, senior director of threat research at Agari. The attacks began ramping up in Q4 2018 and are the latest evolution in business email compromise (BEC) scams, he says.

"Unlike traditional BEC attacks, which are starting to raise red flags with financial institutions, payroll diversion attacks eliminate the interaction with banks because it is a direct deposit instead of a wire transfer," he says.

The typical modus operandi in these scams is for the attacker to assume the identity of the CEO by setting up an email account in the name of the executive. The adversary then sends an email to a previously identified individual within the HR or finance function requesting a change in the existing direct deposit account details and inquiring about what's needed to process the change. The threat actors often are not fazed when asked to provide a voided check displaying the new account's details, and often can provide it. If the scam is successful, the payroll of the executive that was impersonated gets diverted to the attacker-held account.

The payroll diversion approach eliminates the need for attackers to deal with a third-party system, thereby allowing for greater control over the whole process, Agari researchers said. "We’ve observed this type of attack targeting a variety of employees, but the majority target C-suite individuals because the monetary payoff is much greater," says Hassold.

The attacks are scalable in the sense that adversaries can conduct them against a large number of targets at different companies. But the likelihood that the attackers would select multiple targets at the same company is low because of the red flags that it would raise, he said.

BEC attacks have been around for several years and continue to be a potent threat for most organizations. Originally, BEC involved attacks in which an adversary either tricked an individual with signing authority at a company into wire-transferring funds to an attacker-held account, or hijacked an account to achieve the same objective.

As organizations have become savvier about such BEC scams, adversaries have kept introducing new twists as well. In December for instance, security researchers observed a new trend in which threat actors impersonating CEOs tried to get office managers and others with similar authority to purchase gift cards for employees. Though losses from gift card BEC attacks have been relatively small so far in the US—at around $1 million—the scam illustrates how criminal groups have kept trying different ruses to try and defraud businesses.

According to the FBI, the reported global loss from BEC attacks between October 2013 and May 2018 was some $12 billion. The scam has been reported in 150 countries and continues to grow and evolve, the FBI has noted. The agency has described BEC as a threat that impacts organizations of all sizes.

BEC shows how cyber attacks are increasingly leveraging social engineering instead of technical exploits, Hassold notes. "BEC has become a staple in cyberattacks for scammers because they are very easy to deploy [and] require very little technical expertise or knowledge," he says.

Importantly, the success rate does not need to be very high for BEC to be profitable. "If even one percent of 1,000 attacks is successful, it could generate hundreds of thousands of dollars," for the criminals, Hassold says.

Related Content:

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Microsoft Patches Wormable RCE Vulns in Remote Desktop Services
Kelly Sheridan, Staff Editor, Dark Reading,  8/13/2019
The Mainframe Is Seeing a Resurgence. Is Security Keeping Pace?
Ray Overby, Co-Founder & President at Key Resources, Inc.,  8/15/2019
GitHub Named in Capital One Breach Lawsuit
Dark Reading Staff 8/14/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
7 Threats & Disruptive Forces Changing the Face of Cybersecurity
This Dark Reading Tech Digest gives an in-depth look at the biggest emerging threats and disruptive forces that are changing the face of cybersecurity today.
Flash Poll
The State of IT Operations and Cybersecurity Operations
The State of IT Operations and Cybersecurity Operations
Your enterprise's cyber risk may depend upon the relationship between the IT team and the security team. Heres some insight on what's working and what isn't in the data center.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-15224
PUBLISHED: 2019-08-19
The rest-client gem 1.6.13 for Ruby, as distributed on RubyGems.org, included a code-execution backdoor inserted by a third party.
CVE-2019-15225
PUBLISHED: 2019-08-19
In Envoy through 1.11.1, users may configure a route to match incoming path headers via the libstdc++ regular expression implementation. A remote attacker may send a request with a very long URI to result in a denial of service (memory consumption). This is a related issue to CVE-2019-14993.
CVE-2019-15223
PUBLISHED: 2019-08-19
An issue was discovered in the Linux kernel before 5.1.8. There is a NULL pointer dereference caused by a malicious USB device in the sound/usb/line6/driver.c driver.
CVE-2019-15211
PUBLISHED: 2019-08-19
An issue was discovered in the Linux kernel before 5.2.6. There is a use-after-free caused by a malicious USB device in the drivers/media/v4l2-core/v4l2-dev.c driver because drivers/media/radio/radio-raremono.c does not properly allocate memory.
CVE-2019-15212
PUBLISHED: 2019-08-19
An issue was discovered in the Linux kernel before 5.1.8. There is a double-free caused by a malicious USB device in the drivers/usb/misc/rio500.c driver.