Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Risk

4/21/2021
01:00 PM
Connect Directly
Twitter
RSS
E-Mail vvv
50%
50%

Business Email Compromise Costs Businesses More Than Ransomware

Ransomware gets the headlines, but business paid out $1.8 billion last year to resolve BEC issues, according to an FBI report.

It's readily apparent that ransomware — and its evolution into extortionware — is a critically serious threat. Cisco's Talos Incident Response team has seen it as dominating its responses for seven quarters in a row, and the ecosystem of initial access brokers, service providers, and monetization organizations is sophisticated, well integrated, and extremely effective. Added to that, the average ransomware demand has increased (according to Palo Alto's Crypsis IR Team) to more than $840,000, payments total more than $300,000, and in 2021 we've already seen the record payment demand of $10 million be dwarfed by the reported $50 million asked of Acer.

Related Content:

Business Email Compromise Attacks Involving MFA Bypass Increase

Special Report: How Data Breaches Affect the Enterprise

New From The Edge: The CISO Life Is Half as Good

If you live in the cybersecurity news cycle, you could be forgiven for thinking that ransomware is the only threat. There is always a report of another victim, a new approach, or a new crew. The FBI's 2020 "Internet Crime Report" tells a very different story, however, with reported ransomware payments being extremely low, at under $30 million, with other forms of cybercrime dwarfing this number.

It's likely that this is low than reality, and a significant majority of the payments were paid via third parties or not reported — but it still pales beside business email compromise (BEC). Reported BEC numbers alone are over $1.8 billion for the US, and there's an additional $300 million in fraud that could be similarly attributed.

The Challenge
The good news is that extortionware now works like many other threats and moves through initial compromise, lateral movement, and privilege escalation. The actual encryption (and the associated data exfiltration and other pressure tactics) are simply the easy way to monetize a compromise. This means that organizations that build comprehensive strategies against modern extortionware are protected against many other potential compromises. Those that focus on only one aspect (recovering data, for instance) are left open to a classic data breach.

BEC, though, falls outside of this norm and requires a different focus. It is cyber-by-association — an attack against a person that is commonly delivered by electronic means and the focus is on creating action by deception. The attacks may involve payroll diversion, fake invoices to a supplier, efforts around mergers and acquisition, or many other techniques. The attack can be sourced from a spoofed email address or a compromised real address, or an attacker can insert themselves into a real conversation (switching to a different account) — and the attack may appear to (or be!) from another employee or a supplier. A compromised account is the most valuable because it will evade many protections by dint of being sourced on a legitimate and trusted email server.  

These attacks are not just the simple 419 scams of the 1990s anymore (though it's true that Agari's "Geography of BEC Report" estimates that 50% of BEC attacks originate in Nigeria). They are launched by sophisticated attackers, with mature and tested methodologies, and as FBI statistics show they are financially lucrative to these attackers — and correspondingly damaging to the victim. As defenders, they cannot be ignored. 

Law enforcement agencies are taking action. Last month, Nigerian authorities arrested 18 individuals on charges related to Internet fraud in the latest of a series of actions performed by the Nigerian Economic and Financial Crimes Commission. The attacks are continuing and remain effective — as defenders, we need to ensure our focus is broad enough to include these attacks.

BEC attacks are launched against people, but an effective defense will include technology and process as well as user training and awareness campaigns. From a process perspective, clear separation of duties and an ironbound adherence to requesting significant financial transfers can go a long way, especially in combination with training staff on the impact of the attack, how it could occur, and what the processes are for checking if a request is valid. Technology can help too — email fraud prevention solutions can help detect spoofed accounts (rather than just focusing on phishing), while strong authentication methods for risky individuals (which may include executives) can reduce the risk of an account compromise.

Just like the latest hot technology trend is not a silver bullet, extortionware isn't the only attack. Looking at risk is fundamental to security, and it's crucial to get a clear picture of the actual threats you face and their consequences.

Charlie Winckless is the Senior Director of Cybersecurity Solutions for Presidio, setting strategic direction both internally to Presidio and helping clients build digital trust. He is a cybersecurity veteran with over 20 years' experience in the field and cut his IT teeth at ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Edge-DRsplash-10-edge-articles
I Smell a RAT! New Cybersecurity Threats for the Crypto Industry
David Trepp, Partner, IT Assurance with accounting and advisory firm BPM LLP,  7/9/2021
News
Attacks on Kaseya Servers Led to Ransomware in Less Than 2 Hours
Robert Lemos, Contributing Writer,  7/7/2021
Commentary
It's in the Game (but It Shouldn't Be)
Tal Memran, Cybersecurity Expert, CYE,  7/9/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
How Data Breaches Affect the Enterprise
Data breaches continue to cause negative outcomes for companies worldwide. However, many organizations report that major impacts have declined significantly compared with a year ago, suggesting that many have gotten better at containing breach fallout. Download Dark Reading's Report "How Data Breaches Affect the Enterprise" to delve more into this timely topic.
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-4020
PUBLISHED: 2021-11-27
janus-gateway is vulnerable to Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2021-23654
PUBLISHED: 2021-11-26
This affects all versions of package html-to-csv. When there is a formula embedded in a HTML page, it gets accepted without any validation and the same would be pushed while converting it into a CSV file. Through this a malicious actor can embed or generate a malicious link or execute commands via C...
CVE-2021-43785
PUBLISHED: 2021-11-26
@joeattardi/emoji-button is a Vanilla JavaScript emoji picker component. In affected versions there are two vectors for XSS attacks: a URL for a custom emoji, and an i18n string. In both of these cases, a value can be crafted such that it can insert a `script` tag into the page and execute malicious...
CVE-2021-43776
PUBLISHED: 2021-11-26
Backstage is an open platform for building developer portals. In affected versions the auth-backend plugin allows a malicious actor to trick another user into visiting a vulnerable URL that executes an XSS attack. This attack can potentially allow the attacker to exfiltrate access tokens or other se...
CVE-2021-41243
PUBLISHED: 2021-11-26
There is a Potential Zip Slip Vulnerability and OS Command Injection Vulnerability on the management system of baserCMS. Users with permissions to upload files may upload crafted zip files which may execute arbitrary commands on the host operating system. This is a vulnerability that needs to be add...