Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

1/16/2019
02:15 PM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
50%
50%

BEC Groups Ramp Up Payroll Diversion Attacks

Criminals are increasingly trying to defraud businesses by diverting payrolls of CEOs, other senior executives, Agari says.

Attackers are ramping up efforts to try and scam HR employees at many businesses into diverting the payrolls of CEOs and other highly compensated executives to fraudulent accounts.

Security vendor Agari says it has observed a recent and considerable increase in such payroll diversion attempts via social engineering. The criminal gangs behind these scams appear to have invested considerable resources into understanding organizational hierarchies and knowing exactly whom to target, Agari said in a report this week.

"Payroll diversion has become an emerging threat during the past year," says Crane Hassold, senior director of threat research at Agari. The attacks began ramping up in Q4 2018 and are the latest evolution in business email compromise (BEC) scams, he says.

"Unlike traditional BEC attacks, which are starting to raise red flags with financial institutions, payroll diversion attacks eliminate the interaction with banks because it is a direct deposit instead of a wire transfer," he says.

The typical modus operandi in these scams is for the attacker to assume the identity of the CEO by setting up an email account in the name of the executive. The adversary then sends an email to a previously identified individual within the HR or finance function requesting a change in the existing direct deposit account details and inquiring about what's needed to process the change. The threat actors often are not fazed when asked to provide a voided check displaying the new account's details, and often can provide it. If the scam is successful, the payroll of the executive that was impersonated gets diverted to the attacker-held account.

The payroll diversion approach eliminates the need for attackers to deal with a third-party system, thereby allowing for greater control over the whole process, Agari researchers said. "We’ve observed this type of attack targeting a variety of employees, but the majority target C-suite individuals because the monetary payoff is much greater," says Hassold.

The attacks are scalable in the sense that adversaries can conduct them against a large number of targets at different companies. But the likelihood that the attackers would select multiple targets at the same company is low because of the red flags that it would raise, he said.

BEC attacks have been around for several years and continue to be a potent threat for most organizations. Originally, BEC involved attacks in which an adversary either tricked an individual with signing authority at a company into wire-transferring funds to an attacker-held account, or hijacked an account to achieve the same objective.

As organizations have become savvier about such BEC scams, adversaries have kept introducing new twists as well. In December for instance, security researchers observed a new trend in which threat actors impersonating CEOs tried to get office managers and others with similar authority to purchase gift cards for employees. Though losses from gift card BEC attacks have been relatively small so far in the US—at around $1 million—the scam illustrates how criminal groups have kept trying different ruses to try and defraud businesses.

According to the FBI, the reported global loss from BEC attacks between October 2013 and May 2018 was some $12 billion. The scam has been reported in 150 countries and continues to grow and evolve, the FBI has noted. The agency has described BEC as a threat that impacts organizations of all sizes.

BEC shows how cyber attacks are increasingly leveraging social engineering instead of technical exploits, Hassold notes. "BEC has become a staple in cyberattacks for scammers because they are very easy to deploy [and] require very little technical expertise or knowledge," he says.

Importantly, the success rate does not need to be very high for BEC to be profitable. "If even one percent of 1,000 attacks is successful, it could generate hundreds of thousands of dollars," for the criminals, Hassold says.

Related Content:

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 8/14/2020
Lock-Pickers Face an Uncertain Future Online
Seth Rosenblatt, Contributing Writer,  8/10/2020
Hacking It as a CISO: Advice for Security Leadership
Kelly Sheridan, Staff Editor, Dark Reading,  8/10/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
7 New Cybersecurity Vulnerabilities That Could Put Your Enterprise at Risk
In this Dark Reading Tech Digest, we look at the ways security researchers and ethical hackers find critical vulnerabilities and offer insights into how you can fix them before attackers can exploit them.
Flash Poll
The Changing Face of Threat Intelligence
The Changing Face of Threat Intelligence
This special report takes a look at how enterprises are using threat intelligence, as well as emerging best practices for integrating threat intel into security operations and incident response. Download it today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-17475
PUBLISHED: 2020-08-14
Lack of authentication in the network relays used in MEGVII Koala 2.9.1-c3s allows attackers to grant physical access to anyone by sending packet data to UDP port 5000.
CVE-2020-0255
PUBLISHED: 2020-08-14
** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2020-10751. Reason: This candidate is a duplicate of CVE-2020-10751. Notes: All CVE users should reference CVE-2020-10751 instead of this candidate. All references and descriptions in this candidate have been removed to prevent accidenta...
CVE-2020-14353
PUBLISHED: 2020-08-14
** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2017-18270. Reason: This candidate is a duplicate of CVE-2017-18270. Notes: All CVE users should reference CVE-2017-18270 instead of this candidate. All references and descriptions in this candidate have been removed to prevent accidenta...
CVE-2020-17464
PUBLISHED: 2020-08-14
** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was withdrawn by its CNA. Further investigation showed that it was not a security issue. Notes: none.
CVE-2020-17473
PUBLISHED: 2020-08-14
Lack of mutual authentication in ZKTeco FaceDepot 7B 1.0.213 and ZKBiosecurity Server 1.0.0_20190723 allows an attacker to obtain a long-lasting token by impersonating the server.