Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

1/16/2019
02:15 PM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
50%
50%

BEC Groups Ramp Up Payroll Diversion Attacks

Criminals are increasingly trying to defraud businesses by diverting payrolls of CEOs, other senior executives, Agari says.

Attackers are ramping up efforts to try and scam HR employees at many businesses into diverting the payrolls of CEOs and other highly compensated executives to fraudulent accounts.

Security vendor Agari says it has observed a recent and considerable increase in such payroll diversion attempts via social engineering. The criminal gangs behind these scams appear to have invested considerable resources into understanding organizational hierarchies and knowing exactly whom to target, Agari said in a report this week.

"Payroll diversion has become an emerging threat during the past year," says Crane Hassold, senior director of threat research at Agari. The attacks began ramping up in Q4 2018 and are the latest evolution in business email compromise (BEC) scams, he says.

"Unlike traditional BEC attacks, which are starting to raise red flags with financial institutions, payroll diversion attacks eliminate the interaction with banks because it is a direct deposit instead of a wire transfer," he says.

The typical modus operandi in these scams is for the attacker to assume the identity of the CEO by setting up an email account in the name of the executive. The adversary then sends an email to a previously identified individual within the HR or finance function requesting a change in the existing direct deposit account details and inquiring about what's needed to process the change. The threat actors often are not fazed when asked to provide a voided check displaying the new account's details, and often can provide it. If the scam is successful, the payroll of the executive that was impersonated gets diverted to the attacker-held account.

The payroll diversion approach eliminates the need for attackers to deal with a third-party system, thereby allowing for greater control over the whole process, Agari researchers said. "We’ve observed this type of attack targeting a variety of employees, but the majority target C-suite individuals because the monetary payoff is much greater," says Hassold.

The attacks are scalable in the sense that adversaries can conduct them against a large number of targets at different companies. But the likelihood that the attackers would select multiple targets at the same company is low because of the red flags that it would raise, he said.

BEC attacks have been around for several years and continue to be a potent threat for most organizations. Originally, BEC involved attacks in which an adversary either tricked an individual with signing authority at a company into wire-transferring funds to an attacker-held account, or hijacked an account to achieve the same objective.

As organizations have become savvier about such BEC scams, adversaries have kept introducing new twists as well. In December for instance, security researchers observed a new trend in which threat actors impersonating CEOs tried to get office managers and others with similar authority to purchase gift cards for employees. Though losses from gift card BEC attacks have been relatively small so far in the US—at around $1 million—the scam illustrates how criminal groups have kept trying different ruses to try and defraud businesses.

According to the FBI, the reported global loss from BEC attacks between October 2013 and May 2018 was some $12 billion. The scam has been reported in 150 countries and continues to grow and evolve, the FBI has noted. The agency has described BEC as a threat that impacts organizations of all sizes.

BEC shows how cyber attacks are increasingly leveraging social engineering instead of technical exploits, Hassold notes. "BEC has become a staple in cyberattacks for scammers because they are very easy to deploy [and] require very little technical expertise or knowledge," he says.

Importantly, the success rate does not need to be very high for BEC to be profitable. "If even one percent of 1,000 attacks is successful, it could generate hundreds of thousands of dollars," for the criminals, Hassold says.

Related Content:

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Data Privacy Protections for the Most Vulnerable -- Children
Dimitri Sirota, Founder & CEO of BigID,  10/17/2019
Sodinokibi Ransomware: Where Attackers' Money Goes
Kelly Sheridan, Staff Editor, Dark Reading,  10/15/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
7 Threats & Disruptive Forces Changing the Face of Cybersecurity
This Dark Reading Tech Digest gives an in-depth look at the biggest emerging threats and disruptive forces that are changing the face of cybersecurity today.
Flash Poll
2019 Online Malware and Threats
2019 Online Malware and Threats
As cyberattacks become more frequent and more sophisticated, enterprise security teams are under unprecedented pressure to respond. Is your organization ready?
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-18214
PUBLISHED: 2019-10-19
The Video_Converter app 0.1.0 for Nextcloud allows denial of service (CPU and memory consumption) via multiple concurrent conversions because many FFmpeg processes may be running at once. (The workload is not queued for serial execution.)
CVE-2019-18202
PUBLISHED: 2019-10-19
Information Disclosure is possible on WAGO Series PFC100 and PFC200 devices before FW12 due to improper access control. A remote attacker can check for the existence of paths and file names via crafted HTTP requests.
CVE-2019-18209
PUBLISHED: 2019-10-19
templates/pad.html in Etherpad-Lite 1.7.5 has XSS when the browser does not encode the path of the URL, as demonstrated by Internet Explorer.
CVE-2019-18198
PUBLISHED: 2019-10-18
In the Linux kernel before 5.3.4, a reference count usage error in the fib6_rule_suppress() function in the fib6 suppression feature of net/ipv6/fib6_rules.c, when handling the FIB_LOOKUP_NOREF flag, can be exploited by a local attacker to corrupt memory, aka CID-ca7a03c41753.
CVE-2019-18197
PUBLISHED: 2019-10-18
In xsltCopyText in transform.c in libxslt 1.1.33, a pointer variable isn't reset under certain circumstances. If the relevant memory area happened to be freed and reused in a certain way, a bounds check could fail and memory outside a buffer could be written to, or uninitialized data could be disclo...