Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Threat Intelligence

3/27/2017
10:00 PM
Connect Directly
Google+
Twitter
RSS
E-Mail
50%
50%

Hacking the Business Email Compromise

BEC attacks are on the rise, but plain-old spoofing of business executives' email accounts remains more prevalent.

Business email compromise (BEC) attacks are all the rage and on the rise. But it doesn't necessarily require a full-blown BEC attack to scam an organization out of money. Sometimes all it takes is an old-fashioned spoofed email address.

The FBI recently warned that BEC attacks worldwide have racked up some $3 billion in victim losses, with the average loss at $140,000 per incident.  BEC attacks - where cybercriminals get control of a business executive's email account credentials and use the account to steal money from the victim organization – are increasing, as are similar but more simplistic attacks that spoof executives' email accounts.

New data from email security provider Proofpoint shows a 45% jump in these types of scams overall. The firm studied some 45,000 attack attempts on its customers from October to December 2016 via email-account spoofing or full-blown email account compromises. Two-thirds of those attack attempts employed spoofed emails, and the other third, BECs.

Email spoofing is where an attacker creates or scrapes a real email domain with an email address that appears to come from the legitimate owner of the account. The spoofed email sometimes displays the legitimate email address, but the return address is actually different and masked behind the legitimate email account user's name or address, for example.

In a BEC attack, the cybercriminal steals a business exec's email account credentials in order to pose as that person to trick employees into wiring money or performing other actions on the "exec's" behalf.

"Attackers are understanding that more than anything" the best weapon is exploiting the human factor to fool companies into wiring money to the bad guy's accounts, says Patrick Wheeler, director of threat intelligence at Proofpoint. "It's identity deception at its best. These techniques work."

More than 70% of the spoofed and BEC emails Proofpoint found came with attention-grabbing subject lines like "Payment" (30%), "Request" (21%), and "Urgent" (21%). And the targets weren't all big execs from big companies. Some 15% went after small- to midsized businesses.

Of course these attacks are basically methods of social engineering and phishing, which long have been a popular initial attack vector for malware infections and data breaches.

Email spoofing is much easier to pull off and is often a precursor to a full-blown BEC attack. The two attack methods - spoofing and BEC - unfortunately sometimes get conflated, which can cause confusion. "If there's no compromise [of an email account], it's not BEC," says Joe Stewart, director of malware research at SecureWorks.

Stewart and his research team have infiltrated several BEC and other similar scam operations to peek inside their inner workings. They have watched cybercriminals in some groups teaching one another how to employ these scams. His team has seen BEC schemes that net the attackers anywhere from $30,000 to $250,000.

"BEC is really difficult to spot, versus business email spoofing, which is really easy," he explains. With a BEC, the email from the CEO to transfer funds actually comes from the real CEO's account, which makes it harder to discern, he notes.

These types of attacks are growing at a steady pace, he says. "It's easier to teach someone how to do business email spoofing than to do actual BEC. There are a lot more moving parts through BEC," Stewart says. "It's no surprise that there's a faster growth rate for attackers learning email-spoofing. But I don't think it's going to stop there. It's going to reach a peak … when spoofing is not as effective, and they will adapt" and learn BEC methods, he says.

Researchers from Trend Micro also have seen an increase in BEC activity in the past year. "At a very high level with BEC, we've seen an exponential lift in this type of attack," says Ed Cabrera, chief cybersecurity officer for Trend Micro.

[Trend Micro's Ed Cabrera will be speaking about ransomware during Interop ITX, May 15-19, at the MGM Grand in Las Vegas. To learn more about his presentation, other Interop security tracks, or to register click on the live links.]

BEC scams are an increasing weapon used by cybercriminals in West Africa, according to recently published data from INTERPOL and Trend Micro. Cybercriminals out of that region from 2013 to 2015 stole an average of $2.7 million from businesses and $422,000 on average from individuals via various scams including BEC.

Duping is Easy

It's a scenario that plays out far too easily: an employee in the finance department receives an email from the company executive instructing him or her to wire money in what appears to be a legitimate transaction request. By the time the victim organization realizes the transaction was a scam and the email didn't come from the employee's boss, the money is long gone, as well as the bad guys.

But there have been a few high-profile BEC busts in the past year. Just last week, the US Department of Justice announced that law enforcement has arrested a Lithuanian man for allegedly duping two US technology companies into wiring him $100 million over a two-year period. In this case, some of the stolen money was actually recovered in the wake of the arrest.

Last month, the DoJ announced indictments of 19 suspects in a global money-laundering scheme that included the use of BEC and led to $13 million in losses. And in December, Nigerian national David Adindu and several accomplices were charged in a BEC scam operation that targeted thousands of victims and involved some $3.1 billion. 

Chris Hadnagy, chief human hacker at Social-Engineer, LLC, says one of his firm's higher education clients lost $30,000 to a multi-layered and multi-stage attack that included email spoofing of the victim's CEO. An employee received an email with the CEO's spoofed email address ordering the victim to send the wire transfer ASAP. The attackers then followed up their phishing email with a voice call and posed as the CEO's assistant to confirm the email message and ensure that the user sent the money to their account.

Hadnagy, whose firm consults and trains companies on protecting against social engineering ploys and attacks, says BEC attacks often begin with a blend of online intel-gathering, phishing, vishing, and or phishing and vishing combos – all to ultimately infect the victim and then hijack the business email account. The caller says "hey, I've got this invoice with your name on it coming to you," and when it arrives, the victim then opens it and his or her system is infected with a keylogger or other malware.

"That [layered and combined] attack is what you're doing to start seeing" with BEC attacks, he says.

He says cybercriminals are setting up actual call centers in Russia, Greece, and Uzbekistan, to support their vishing and BEC operations. They hire dozens of people who get paid about $3 per day and man the phones for various scams, including one that poses as the Internal Revenue Service demanding back tax payments.  "As soon as they [the call center workers] get to the point where there are money transfers, they say 'I'll transfer you to my manager,'" and the call is handed off to another scammer who handles the money, Hadnagy explains.

BEC attacks don't require malware infections either: "Credential harvesting is becoming way more popular because it's so easy to cull web pages and make them look realistic," he says.

The social engineering expert warns that the next wave will involve vishing and mobile phone compromises. "With BYOD, it's just a gold mine for an attacker. They compromise your phone while you're at home and then you plug into the company network," he says, and the hijacked smartphone can be used as a rogue wireless access point, or its camera and microphone can be employed for spying purposes.

"SIP lines and a voice server are cheap," he says. "The risk/reward its way too high. We're going to see a massive increase" in these types of attacks."

Defense

Training users about social engineering, phishing, email spoofing, and BEC attacks should be part of the routine for businesses, experts say, as well as regular system patching and software updates.

But one of the key technologies that can help organizations prevent such attacks is DMARC, the Domain Message Authentication Reporting & Conformance (DMARC) standard that verifies the domain of an email message, and can kill phony messages upon arrival so that only DMARC-authenticated messages are delivered to recipients' inboxes.

Phil Reitinger, president and CEO of the Global Cyber Alliance, says DMARC basically helps make email trustworthy. "You can stop those spoofed email attacks with DMARC," he says.

But that doesn't mean DMARC stops all phishing attacks, he says. Just the ones that spoof a domain. "Attackers can still send an email from a lookalike domain." 

Related Content:

 

Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Threaded  |  Newest First  |  Oldest First
Mobile Banking Malware Up 50% in First Half of 2019
Kelly Sheridan, Staff Editor, Dark Reading,  1/17/2020
Active Directory Needs an Update: Here's Why
Raz Rafaeli, CEO and Co-Founder at Secret Double Octopus,  1/16/2020
New Attack Campaigns Suggest Emotet Threat Is Far From Over
Jai Vijayan, Contributing Writer,  1/16/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
The Year in Security: 2019
This Tech Digest provides a wrap up and overview of the year's top cybersecurity news stories. It was a year of new twists on old threats, with fears of another WannaCry-type worm and of a possible botnet army of Wi-Fi routers. But 2019 also underscored the risk of firmware and trusted security tools harboring dangerous holes that cybercriminals and nation-state hackers could readily abuse. Read more.
Flash Poll
How Enterprises are Attacking the Cybersecurity Problem
How Enterprises are Attacking the Cybersecurity Problem
Organizations have invested in a sweeping array of security technologies to address challenges associated with the growing number of cybersecurity attacks. However, the complexity involved in managing these technologies is emerging as a major problem. Read this report to find out what your peers biggest security challenges are and the technologies they are using to address them.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-5216
PUBLISHED: 2020-01-23
In Secure Headers (RubyGem secure_headers), a directive injection vulnerability is present in versions before 3.9.0, 5.2.0, and 6.3.0. If user-supplied input was passed into append/override_content_security_policy_directives, a newline could be injected leading to limited header injection. Upon seei...
CVE-2020-5217
PUBLISHED: 2020-01-23
In Secure Headers (RubyGem secure_headers), a directive injection vulnerability is present in versions before 3.8.0, 5.1.0, and 6.2.0. If user-supplied input was passed into append/override_content_security_policy_directives, a semicolon could be injected leading to directive injection. This could b...
CVE-2020-5223
PUBLISHED: 2020-01-23
In PrivateBin versions 1.2.0 before 1.2.2, and 1.3.0 before 1.3.2, a persistent XSS attack is possible. Under certain conditions, a user provided attachment file name can inject HTML leading to a persistent Cross-site scripting (XSS) vulnerability. The vulnerability has been fixed in PrivateBin v1.3...
CVE-2019-20399
PUBLISHED: 2020-01-23
A timing vulnerability in the Scalar::check_overflow function in Parity libsecp256k1-rs before 0.3.1 potentially allows an attacker to leak information via a side-channel attack.
CVE-2020-7915
PUBLISHED: 2020-01-22
An issue was discovered on Eaton 5P 850 devices. The Ubicacion SAI field allows XSS attacks by an administrator.