Vulnerabilities / Threats

1/18/2018
04:10 PM
Connect Directly
Twitter
LinkedIn
Google+
RSS
E-Mail
50%
50%

BEC Attacks to Exceed $9B in 2018: Trend Micro

Business email compromise is projected to skyrocket as attackers adopt sophisticated techniques to dupe their victims.

Business email compromise (BEC) attacks are projected to exceed $9 billion in 2018. To put that number in context, it has been less than a year since the FBI reported BEC attacks had become a $5.3 billion industry. Attacks have become more sophisticated as hackers improve their game.

BEC has grown among threat actors due to "its relative simplicity," according to a new Trend Micro report "Tracking Trends in Business Email Compromise (BEC) Schemes." Researchers analyzed BEC as a cybercriminal operation from January through September 2017, dissecting tools and strategies commonly used in these attacks to predict activity for this year.

"This particular type of attack is not going away -- it's only increasing," says Ed Cabrera, chief cybersecurity officer at Trend Micro.

The Internet Crime Complaint Center (IC3) puts BEC attacks in five categories: Bogus Invoice Schemes, CEO Fraud, Account Compromise, Attorney Impersonation, and Data Theft. In this case, researchers split them in two: Credential-grabbing and Email-only. Attackers must be proficient in at least one of these methods for the scheme to work, researchers report.

Method 1: Snatching credentials

This tactic leverages keyloggers and phishing kits to steal credentials and access an organizations email. Researchers noticed an uptick in phishing HTML pages sent as spam attachments which, while not new, is still effective against unsuspecting users.

Phishing is one of the primary methods used to steal email login data for BEC attacks. Once an attacker compromises a Gmail account, for example, they can impersonate its owner or use personal information or credentials they find in the account.

The other credential-grabbing technique uses malware, which continues to be a problem for targets using antivirus tools because some attackers use crypter services to evade AV detection. Researchers note BEC actors are more frequently using phishing attacks over keyloggers because they're simpler and cheaper; actors don't need to shell out for builders and crypters.

Keyloggers and remote access tools (RATs) are the most common types of malware used for BEC because they're effective and inexpensive. Unlike attacks that rely on phishing to steal a single set of credentials, malware can collect all stored credentials on an infected machine.

Ardamax is one example of a keylogger found in recent BEC attacks. It's cheap (under $50), can send stolen data via SMPT or FTP, has webcam and microphone recording, and an option to export encrypted logs that users can browse in its log viewer. Lokibot, password stealer and coin wallet stealer, is another commonly used malware. A new version of Lokibot was found in 2017 with new features like the ability to capture screenshots on the target machine.

Method 2: Targeting inboxes

Email-only BEC attacks, which rely on social engineering, are getting more sophisticated as attackers get smarter. This tactic involves sending an email to someone in the target company's finance department, requesting an exec to transfer money as payment or as a personal favor. Usually, a spoofed email from the CEO is sent to the head of finance.

"The CFO has the authority and ability to request last-minute money transfers within the organizations," says Cabrera. "[Attackers] are trying to capitalize on the relationship between the CEO and CFO."

Cybercriminals launching BEC attacks carefully research their victims. "It's usually the advanced groups, but it's also almost akin to cyberespionage," he continues. "They have a healthy knowledge of who they're targeting, and who in the organization they're going to target."

This research is what makes them successful. Attackers want to know about the organization and its executives: who's on vacation, typical work hours, business travel. They want to know news surrounding the business and operations such as M&A activity and corporate events. Oftentimes actors target ADP credentials and payment/benefits information so they can better understand the employees they're targeting. All of this data, both public and private, leads to success.

"We're seeing a shift: 'How do we compromise email infrastructure and dig even deeper?'" Cabrera notes.

Social engineering scams can be tough to spot. Sometimes the subject line will give an attacker away; based on analysis of BEC email samples, more than two-thirds had subjects containing terms "request," "payment," or "urgent." Many said "wire transfer request" and "wire request."

In the "Reply To" line, many attackers add their email addresses so they can view replies from target recipients. Most email clients don't show the reply-to addresses, so they get away with it. If they don't do this, they create a legitimate-looking email address to impersonate a corporate executive. These usually involve free webmail services like "accountant.com" and "workmail.com."

"From a user side, awareness and training is critical," says Cabrera. "From the boardroom down to the server room, make sure [employees] know this is actually happening." He also advises taking a close look at gateway tools, what they're deploying, and how they can protect email.

"You need to understand the gateway is a critical line of defense and we need to be able to defend it," he adds.

Related Content:

Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance & Technology, where she covered financial ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
BrianN060
50%
50%
BrianN060,
User Rank: Ninja
1/20/2018 | 3:38:54 PM
With emails, our prime assumption is that emails come from people.
Social-engineering email attacks have links to classic magic show acts - the performer uses our assumptions and expectations, developed through experience, to get us to see what's not there, or not notice what is. 

With emails, our prime assumption is that emails come from people, rather than from the programmed execution of code residing in a number of machines.  Next is the assumption that the name in the "From:" header is that of the "person" or entity sending the email.  Then we have the primal assumption that an email is an object, sealed by the sender, traveling directly from sender to recipient, its contents unobserved or altered. 

It's not surprising that so many carry forward the assumptions from a traditional mail, metaphor.  Many others know these technologies of digital networks, and social-engineering, well enough to exploit the vulnerabilities in the mechanisms and those who rely on them.  Conscience brings some of these to help; lack of conscience brings others to a smorgasbord of opportunities to exploit our misconceptions about email. 
White House Cybersecurity Strategy at a Crossroads
Kelly Jackson Higgins, Executive Editor at Dark Reading,  7/17/2018
Mueller Probe Yields Hacking Indictments for 12 Russian Military Officers
Kelly Jackson Higgins, Executive Editor at Dark Reading,  7/13/2018
10 Ways to Protect Protocols That Aren't DNS
Curtis Franklin Jr., Senior Editor at Dark Reading,  7/16/2018
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2018-12959
PUBLISHED: 2018-07-19
The approveAndCall function of a smart contract implementation for Aditus (ADI), an Ethereum ERC20 token, allows attackers to steal assets (e.g., transfer all contract balances into their account).
CVE-2018-14336
PUBLISHED: 2018-07-19
TP-Link WR840N devices allow remote attackers to cause a denial of service (connectivity loss) via a series of packets with random MAC addresses.
CVE-2018-10620
PUBLISHED: 2018-07-19
AVEVA InduSoft Web Studio v8.1 and v8.1SP1, and InTouch Machine Edition v2017 8.1 and v2017 8.1 SP1 a remote user could send a carefully crafted packet to exploit a stack-based buffer overflow vulnerability during tag, alarm, or event related actions such as read and write, with potential for code t...
CVE-2018-14423
PUBLISHED: 2018-07-19
Division-by-zero vulnerabilities in the functions pi_next_pcrl, pi_next_cprl, and pi_next_rpcl in lib/openjp3d/pi.c in OpenJPEG through 2.3.0 allow remote attackers to cause a denial of service (application crash).
CVE-2018-3857
PUBLISHED: 2018-07-19
An exploitable heap overflow exists in the TIFF parsing functionality of Canvas Draw version 4.0.0. A specially crafted TIFF image processed via the application can lead to an out-of-bounds write, overwriting arbitrary data. An attacker can deliver a TIFF image to trigger this vulnerability and gain...