Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Threat Intelligence

11:00 AM
Robert Lemos
Robert Lemos

Stealing Corporate Funds Still Top Goal of Messaging Attacks

Cybercriminals focus on collecting credentials, blackmailing users with fake sextortion scams, and convincing privileged employees to transfer cash. The latter still causes the most damage, and some signs suggest it is moving to mobile.

Attackers continue to use many of the same phishing techniques as in the past, but, increasingly, the scams are much more targeted and, in some cases, have moved to mobile devices, according to two reports published today.

In its report, messaging-security firm Barracuda Networks found that 83% of targeted phishing attacks, also known as spear-phishing, appear as a message from an administrator at a popular service, asking for the user to log in. The scams use a variety of reasons, from claiming the account has been frozen to asking the user to review a document.

Overall, attackers are moving to spear-phishing attacks because they are relatively low volume and can be sent from popular e-mail services, making it less likely they will be blocked, says Asaf Cidon, vice president of content security at Barracuda.

"Because they are not sending a high volume of attacks — it's quality and not quantity — and it is usually a human manually sending the e-mail and tailoring it, they can afford to send it from a Gmail account," he says. "And basically the popular e-mail security services and cloud providers won't block the e-mail because those services have a high reputation."

Despite advances in anti-spam systems, fraudulent messages continue to reach end users, aiming to take advantage of nontech-savvy workers to steal their credentials, convince them to pay fake invoices, or convince them that lurid secrets are in criminals' hands.

While e-mail scams that attempt to fool users into giving up their credentials for popular services are the most numerous, the most costly threat continues to be business e-mail compromise (BEC), where the fraudster attempts to fool an employee into paying a fake invoice. While BEC attacks only make up 6% of all spear-phishing attacks, according to Barracuda, they account for the most losses.

In 2017, for example, more than 15,000 BEC complaints  were filed with the Internet Criminal Complaint Center (IC3), amounting to an adjusted loss of $675 million, according to the center's annual report. By comparison, ransomware only accounted for $2.3 million in losses in 2017, the latest data available, according to the annual IC3 report.

Reprising the theme of using high-reputation services, more than 60% of BEC attacks come from one of 10 different e-mail service providers, Barracuda's Cidon says.

"What happened over time is that all these services actually started getting very high sender reputation," he says. "So, effectively, Gmail and Office 365 treat free e-mail services as very high-reputation sender domains.”

In some cases, attackers have also started moving victims over to text messaging as the primary conduit for the scam, according to the second report from messaging-security firm Agari. In its analysis, the firm described how the attack starts with a purported message from the company CEO asking for the employee's personal cell to "complete a task for me." The attacker then moves the discussion to SMS text messaging. 

Rather than aim for high-value accounts, the scam typically focuses on getting the employee to buy gift cards with the corporate credit card, the Agari report states. Gift cards have become a common way for scammers to cash out, with a quarter of fraud ending in payment by gift card, up from 7% in 2015, according to the U.S. Federal Trade Commission.

For victims of BEC scams, text messaging presents additional dangers. The attacker now has the target's mobile number, which allows them to potentially punish non-compliant victims with spam. Employees need to be trained to recognize such fraud, says Crane Hassold, director of threat research at Agari.

In addition, companies need to have a procedure in place to catch the fraudulent transactions before they occur, he says.

"There needs to be a secondhand verification for that request," Hassold says. "If someone is asking for a wire transfer, confirm through a second channel."

Perhaps the easiest way to monetize leaked credentials — no matter what service the username and password originates — is through the increasingly popular sextortion scam. Blackmail, primarily sextortion, accounts for 1 in 10 spear-phishing messages, Barracuda stated in its report. The attackers typically pretend to have access to an online cache of pornography accessed by the target, to have recorded the target watching pornography, or to be a law enforcement agency investing child pornography.

"The fact that, at this point, it is 10% of targeted attacks is surprising," Barracuda's Cidon says. "It didn't exist a few months back, and now it is one of the most popular attacks on e-mail."

The attacks are likely underreported because of the sensitive nature of the threats, he says. 

The vast majority (88%) of all sextortion e-mail messages used subject lines having to do with a security alert or requesting a password change, Barracuda said. The majority of e-mail messages (60%) used only 30 subject lines.

Messaging attacks will continue to be a major threat for companies because they offer an easy way to gain employee credentials, compared with other cyberattacks based on malware, says Agari's Hassold. 

"We have seen cyberattacks decrease significantly over the past couple of years compared to social engineering attacks," he says. "The ROI for social-engineering attacks is much lower. I do not have to stand up that much infrastructure, and I do not need a lot of technical knowledge."

Related Content:



Join Dark Reading LIVE for two cybersecurity summits at Interop 2019. Learn from the industry's most knowledgeable IT security experts. Check out the Interop agenda here.

Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
What the FedEx Logo Taught Me About Cybersecurity
Matt Shea, Head of Federal @ MixMode,  6/4/2021
A View From Inside a Deception
Sara Peters, Senior Editor at Dark Reading,  6/2/2021
Register for Dark Reading Newsletters
White Papers
Current Issue
The State of Cybersecurity Incident Response
In this report learn how enterprises are building their incident response teams and processes, how they research potential compromises, how they respond to new breaches, and what tools and processes they use to remediate problems and improve their cyber defenses for the future.
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-06-13
The package studio-42/elfinder before 2.1.58 are vulnerable to Remote Code Execution (RCE) via execution of PHP code in a .phar file. NOTE: This only applies if the server parses .phar files as PHP.
PUBLISHED: 2021-06-12
Receita Federal IRPF 2021 1.7 allows a man-in-the-middle attack against the update feature.
PUBLISHED: 2021-06-12
In Apache PDFBox, a carefully crafted PDF file can trigger an OutOfMemory-Exception while loading the file. This issue affects Apache PDFBox version 2.0.23 and prior 2.0.x versions.
PUBLISHED: 2021-06-12
In Apache PDFBox, a carefully crafted PDF file can trigger an infinite loop while loading the file. This issue affects Apache PDFBox version 2.0.23 and prior 2.0.x versions.
PUBLISHED: 2021-06-12
It was discovered that read_file() in apport/hookutils.py would follow symbolic links or open FIFOs. When this function is used by the openjdk-16 package apport hooks, it could expose private data to other local users.