Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Risk

4/21/2021
01:00 PM
Connect Directly
Twitter
RSS
E-Mail vvv
50%
50%

Business Email Compromise Costs Businesses More Than Ransomware

Ransomware gets the headlines, but business paid out $1.8 billion last year to resolve BEC issues, according to an FBI report.

It's readily apparent that ransomware — and its evolution into extortionware — is a critically serious threat. Cisco's Talos Incident Response team has seen it as dominating its responses for seven quarters in a row, and the ecosystem of initial access brokers, service providers, and monetization organizations is sophisticated, well integrated, and extremely effective. Added to that, the average ransomware demand has increased (according to Palo Alto's Crypsis IR Team) to more than $840,000, payments total more than $300,000, and in 2021 we've already seen the record payment demand of $10 million be dwarfed by the reported $50 million asked of Acer.

Related Content:

Business Email Compromise Attacks Involving MFA Bypass Increase

Special Report: How Data Breaches Affect the Enterprise

New From The Edge: The CISO Life Is Half as Good

If you live in the cybersecurity news cycle, you could be forgiven for thinking that ransomware is the only threat. There is always a report of another victim, a new approach, or a new crew. The FBI's 2020 "Internet Crime Report" tells a very different story, however, with reported ransomware payments being extremely low, at under $30 million, with other forms of cybercrime dwarfing this number.

It's likely that this is low than reality, and a significant majority of the payments were paid via third parties or not reported — but it still pales beside business email compromise (BEC). Reported BEC numbers alone are over $1.8 billion for the US, and there's an additional $300 million in fraud that could be similarly attributed.

The Challenge
The good news is that extortionware now works like many other threats and moves through initial compromise, lateral movement, and privilege escalation. The actual encryption (and the associated data exfiltration and other pressure tactics) are simply the easy way to monetize a compromise. This means that organizations that build comprehensive strategies against modern extortionware are protected against many other potential compromises. Those that focus on only one aspect (recovering data, for instance) are left open to a classic data breach.

BEC, though, falls outside of this norm and requires a different focus. It is cyber-by-association — an attack against a person that is commonly delivered by electronic means and the focus is on creating action by deception. The attacks may involve payroll diversion, fake invoices to a supplier, efforts around mergers and acquisition, or many other techniques. The attack can be sourced from a spoofed email address or a compromised real address, or an attacker can insert themselves into a real conversation (switching to a different account) — and the attack may appear to (or be!) from another employee or a supplier. A compromised account is the most valuable because it will evade many protections by dint of being sourced on a legitimate and trusted email server.  

These attacks are not just the simple 419 scams of the 1990s anymore (though it's true that Agari's "Geography of BEC Report" estimates that 50% of BEC attacks originate in Nigeria). They are launched by sophisticated attackers, with mature and tested methodologies, and as FBI statistics show they are financially lucrative to these attackers — and correspondingly damaging to the victim. As defenders, they cannot be ignored. 

Law enforcement agencies are taking action. Last month, Nigerian authorities arrested 18 individuals on charges related to Internet fraud in the latest of a series of actions performed by the Nigerian Economic and Financial Crimes Commission. The attacks are continuing and remain effective — as defenders, we need to ensure our focus is broad enough to include these attacks.

BEC attacks are launched against people, but an effective defense will include technology and process as well as user training and awareness campaigns. From a process perspective, clear separation of duties and an ironbound adherence to requesting significant financial transfers can go a long way, especially in combination with training staff on the impact of the attack, how it could occur, and what the processes are for checking if a request is valid. Technology can help too — email fraud prevention solutions can help detect spoofed accounts (rather than just focusing on phishing), while strong authentication methods for risky individuals (which may include executives) can reduce the risk of an account compromise.

Just like the latest hot technology trend is not a silver bullet, extortionware isn't the only attack. Looking at risk is fundamental to security, and it's crucial to get a clear picture of the actual threats you face and their consequences.

Charlie Winckless is the Senior Director of Cybersecurity Solutions for Presidio, setting strategic direction both internally to Presidio and helping clients build digital trust. He is a cybersecurity veteran with over 20 years' experience in the field and cut his IT teeth at ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
News
FluBot Malware's Rapid Spread May Soon Hit US Phones
Kelly Sheridan, Staff Editor, Dark Reading,  4/28/2021
Slideshows
7 Modern-Day Cybersecurity Realities
Steve Zurier, Contributing Writer,  4/30/2021
Commentary
How to Secure Employees' Home Wi-Fi Networks
Bert Kashyap, CEO and Co-Founder at SecureW2,  4/28/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-31755
PUBLISHED: 2021-05-07
An issue was discovered on Tenda AC11 devices with firmware through 02.03.01.104_CN. A stack buffer overflow vulnerability in /goform/setmac allows attackers to execute arbitrary code on the system via a crafted post request.
CVE-2021-31756
PUBLISHED: 2021-05-07
An issue was discovered on Tenda AC11 devices with firmware through 02.03.01.104_CN. A stack buffer overflow vulnerability in /gofrom/setwanType allows attackers to execute arbitrary code on the system via a crafted post request. This occurs when input vector controlled by malicious attack get copie...
CVE-2021-31757
PUBLISHED: 2021-05-07
An issue was discovered on Tenda AC11 devices with firmware through 02.03.01.104_CN. A stack buffer overflow vulnerability in /goform/setVLAN allows attackers to execute arbitrary code on the system via a crafted post request.
CVE-2021-31758
PUBLISHED: 2021-05-07
An issue was discovered on Tenda AC11 devices with firmware through 02.03.01.104_CN. A stack buffer overflow vulnerability in /goform/setportList allows attackers to execute arbitrary code on the system via a crafted post request.
CVE-2021-31458
PUBLISHED: 2021-05-07
This vulnerability allows remote attackers to execute arbitrary code on affected installations of Foxit Reader 10.1.1.37576. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the handlin...