Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

5/12/2016
10:30 AM
Tim Helming
Tim Helming
Commentary
Connect Directly
Twitter
LinkedIn
RSS
E-Mail vvv
50%
50%

Phishing Fraud BECkons: Will You Fall Victim?

Why one company got caught in a Business Email Compromise (BEC) Attack -- and how yours can avoid the same fate.

There has been a lot of news in 2016 about a particular species of phish, the so-called Business Email Compromise (BEC). In this scenario, the attacker poses as an executive of a company, asking someone--usually a subordinate employee--to perform a wire transfer or similar action. When the employee complies and completes the transfer, the company realizes--too late--that it has just given a large payment to a criminal. An investment company in Troy, Michigan, recently lost $495,000 from a BEC phish, so this is not a small matter.

It even hit close to my (professional) home: DomainTools’ CFO recently received a spear phish purporting to come from our CEO, asking her to make a wire transfer of funds. The sending email address was a clever look-alike of “domaintools.com,” using some substituted characters. Fortunately our CFO is very savvy and knew right away that her boss wouldn’t actually make such a request in that way. But it underscores how common this kind of BEC phish is -- and how easy it is for criminals to spoof legitimate emails.

Besides the obvious pain this causes to companies and their employees, this attack trend is troubling on many other levels:

Social engineering: The above example notwithstanding, collectively, people are still quite vulnerable to social engineering attacks. In the BEC scenario, the attacker is able to convincingly pose as the executive, and in the strongest examples, the fiction goes beyond the simple “from” address on the email. The attacker can comb through publicly available information to get details about the personnel and sprinkle these into the email, suppressing the victim’s defenses.

Corporate culture: Many companies still have a very hierarchical culture, and many executives expect prompt and, in some cases, unquestioning compliance, to requests. Promptness is not a bad thing by itself, but automatic obedience can be dangerous.

Messaging technology: Relying on email filtering to catch phony emails is dangerous. Many BEC emails sail right past such defenses because they don’t carry some of the payloads that can get them flagged (such as malware attachments, dangerous links, etc). Email filtering technologies are necessary, but not sufficient, to protect against spear phishes.

As in so many disasters (and the loss of millions of dollars to fraud would constitute a disaster for any firm), there is often a chain of events that had to occur in a specific way for the fraud to succeed. So there is a silver lining here in that each factor has potential mitigations that can disrupt the attack. Some are quite simple.

Social engineering can be thwarted via education. It’s not realistic to expect that 100% of such attacks can be averted, but any improvement is worthwhile. This is one of the places where employee education can pay big dividends. Social engineering is a human problem, not a technological one, so it must be answered in human terms as well.

As far as corporate culture goes, companies would do well to take a cue from the aviation industry, where many accident investigations have concluded that unquestioning compliance with (faulty) captains’ orders contributed to the disaster. Today, airline and military crew members are encouraged to challenge orders from a captain if they believe them to be dangerous or flawed.

There is a valuable analogy in verifying and, if necessary, challenging corporate orders that carry high stakes. It can be as simple as picking up the phone or walking to an office to ask the superior if the request is legitimate. If the subordinate employee doesn’t feel comfortable doing so, they may be able to find a co-worker who will. It could prevent a tremendous loss.

Messaging security, especially spam/phishing detection, has made many advances over the years, and helps cut the “noise level” of illicit emails tremendously. And, given the prevalence of BECs, it’s possible that detection of such emails will improve. From the forensics standpoint, the “from” email address will often contain a look-alike, illicitly registered domain, so that the attacker can carry out a chain of communications with the victim; such domains can in some cases be blocked before they have “fired their first shot.” But the bottom line is that automated detection will never reach 100%, so the other links in the chain have to be as strong as possible.

If the first few months are any indication, the info security retrospectives at the end of 2016 will cite BECs as one of the big stories, along with ransomware and critical infrastructure attacks. Let’s hope that those stories also contain accounts of successful foiling of BECs. It’s a realistic (if ambitious) goal, but it demands appropriate attention and action.

Related content:

Tim Helming, DomainTools Director of Product Management, has over 15 years of experience in cybersecurity, from network to cloud to application attacks and defenses. At DomainTools, he applies this background to helping define and evangelize the company's growing portfolio of ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Kelly Jackson Higgins
50%
50%
Kelly Jackson Higgins,
User Rank: Strategist
5/12/2016 | 11:50:14 AM
Re: Amount Wrong
You are correct, @DerikK231. That has been corrected. Thank you!
DerikK231
50%
50%
DerikK231,
User Rank: Apprentice
5/12/2016 | 11:45:44 AM
Amount Wrong
Hey, in this article it claims the spearphishing attack stole $495 million, I believe the amount was only $495,000. Please check this number and revise the article.
Cybersecurity Team Holiday Guide: 2019 Gag Gift Edition
Ericka Chickowski, Contributing Writer,  12/2/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Navigating the Deluge of Security Data
In this Tech Digest, Dark Reading shares the experiences of some top security practitioners as they navigate volumes of security data. We examine some examples of how enterprises can cull this data to find the clues they need.
Flash Poll
Rethinking Enterprise Data Defense
Rethinking Enterprise Data Defense
Frustrated with recurring intrusions and breaches, cybersecurity professionals are questioning some of the industrys conventional wisdom. Heres a look at what theyre thinking about.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-19647
PUBLISHED: 2019-12-09
radare2 through 4.0.0 lacks validation of the content variable in the function r_asm_pseudo_incbin at libr/asm/asm.c, ultimately leading to an arbitrary write. This allows remote attackers to cause a denial of service (application crash) or possibly have unspecified other impact via crafted input.
CVE-2019-19648
PUBLISHED: 2019-12-09
In the macho_parse_file functionality in macho/macho.c of YARA 3.11.0, command_size may be inconsistent with the real size. A specially crafted MachO file can cause an out-of-bounds memory access, resulting in Denial of Service (application crash) or potential code execution.
CVE-2019-19642
PUBLISHED: 2019-12-08
On SuperMicro X8STi-F motherboards with IPMI firmware 2.06 and BIOS 02.68, the Virtual Media feature allows OS Command Injection by authenticated attackers who can send HTTP requests to the IPMI IP address. This requires a POST to /rpc/setvmdrive.asp with shell metacharacters in ShareHost or ShareNa...
CVE-2019-19637
PUBLISHED: 2019-12-08
An issue was discovered in libsixel 1.8.2. There is an integer overflow in the function sixel_decode_raw_impl at fromsixel.c.
CVE-2019-19638
PUBLISHED: 2019-12-08
An issue was discovered in libsixel 1.8.2. There is a heap-based buffer overflow in the function load_pnm at frompnm.c, due to an integer overflow.