Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

5/12/2016
10:30 AM
Tim Helming
Tim Helming
Commentary
Connect Directly
Twitter
LinkedIn
RSS
E-Mail vvv
50%
50%

Phishing Fraud BECkons: Will You Fall Victim?

Why one company got caught in a Business Email Compromise (BEC) Attack -- and how yours can avoid the same fate.

There has been a lot of news in 2016 about a particular species of phish, the so-called Business Email Compromise (BEC). In this scenario, the attacker poses as an executive of a company, asking someone--usually a subordinate employee--to perform a wire transfer or similar action. When the employee complies and completes the transfer, the company realizes--too late--that it has just given a large payment to a criminal. An investment company in Troy, Michigan, recently lost $495,000 from a BEC phish, so this is not a small matter.

It even hit close to my (professional) home: DomainTools’ CFO recently received a spear phish purporting to come from our CEO, asking her to make a wire transfer of funds. The sending email address was a clever look-alike of “domaintools.com,” using some substituted characters. Fortunately our CFO is very savvy and knew right away that her boss wouldn’t actually make such a request in that way. But it underscores how common this kind of BEC phish is -- and how easy it is for criminals to spoof legitimate emails.

Besides the obvious pain this causes to companies and their employees, this attack trend is troubling on many other levels:

Social engineering: The above example notwithstanding, collectively, people are still quite vulnerable to social engineering attacks. In the BEC scenario, the attacker is able to convincingly pose as the executive, and in the strongest examples, the fiction goes beyond the simple “from” address on the email. The attacker can comb through publicly available information to get details about the personnel and sprinkle these into the email, suppressing the victim’s defenses.

Corporate culture: Many companies still have a very hierarchical culture, and many executives expect prompt and, in some cases, unquestioning compliance, to requests. Promptness is not a bad thing by itself, but automatic obedience can be dangerous.

Messaging technology: Relying on email filtering to catch phony emails is dangerous. Many BEC emails sail right past such defenses because they don’t carry some of the payloads that can get them flagged (such as malware attachments, dangerous links, etc). Email filtering technologies are necessary, but not sufficient, to protect against spear phishes.

As in so many disasters (and the loss of millions of dollars to fraud would constitute a disaster for any firm), there is often a chain of events that had to occur in a specific way for the fraud to succeed. So there is a silver lining here in that each factor has potential mitigations that can disrupt the attack. Some are quite simple.

Social engineering can be thwarted via education. It’s not realistic to expect that 100% of such attacks can be averted, but any improvement is worthwhile. This is one of the places where employee education can pay big dividends. Social engineering is a human problem, not a technological one, so it must be answered in human terms as well.

As far as corporate culture goes, companies would do well to take a cue from the aviation industry, where many accident investigations have concluded that unquestioning compliance with (faulty) captains’ orders contributed to the disaster. Today, airline and military crew members are encouraged to challenge orders from a captain if they believe them to be dangerous or flawed.

There is a valuable analogy in verifying and, if necessary, challenging corporate orders that carry high stakes. It can be as simple as picking up the phone or walking to an office to ask the superior if the request is legitimate. If the subordinate employee doesn’t feel comfortable doing so, they may be able to find a co-worker who will. It could prevent a tremendous loss.

Messaging security, especially spam/phishing detection, has made many advances over the years, and helps cut the “noise level” of illicit emails tremendously. And, given the prevalence of BECs, it’s possible that detection of such emails will improve. From the forensics standpoint, the “from” email address will often contain a look-alike, illicitly registered domain, so that the attacker can carry out a chain of communications with the victim; such domains can in some cases be blocked before they have “fired their first shot.” But the bottom line is that automated detection will never reach 100%, so the other links in the chain have to be as strong as possible.

If the first few months are any indication, the info security retrospectives at the end of 2016 will cite BECs as one of the big stories, along with ransomware and critical infrastructure attacks. Let’s hope that those stories also contain accounts of successful foiling of BECs. It’s a realistic (if ambitious) goal, but it demands appropriate attention and action.

Related content:

Tim Helming, DomainTools Director of Product Management, has over 15 years of experience in cybersecurity, from network to cloud to application attacks and defenses. At DomainTools, he applies this background to helping define and evangelize the company's growing portfolio of ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Oldest First  |  Newest First  |  Threaded View
DerikK231
50%
50%
DerikK231,
User Rank: Apprentice
5/12/2016 | 11:45:44 AM
Amount Wrong
Hey, in this article it claims the spearphishing attack stole $495 million, I believe the amount was only $495,000. Please check this number and revise the article.
Kelly Jackson Higgins
50%
50%
Kelly Jackson Higgins,
User Rank: Strategist
5/12/2016 | 11:50:14 AM
Re: Amount Wrong
You are correct, @DerikK231. That has been corrected. Thank you!
Cloud Security Startup Lightspin Emerges From Stealth
Kelly Sheridan, Staff Editor, Dark Reading,  11/24/2020
Look Beyond the 'Big 5' in Cyberattacks
Robert Lemos, Contributing Writer,  11/25/2020
Why Vulnerable Code Is Shipped Knowingly
Chris Eng, Chief Research Officer, Veracode,  11/30/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: We are really excited about our new two tone authentication system!
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-4126
PUBLISHED: 2020-12-01
HCL iNotes is susceptible to a sensitive cookie exposure vulnerability. This can allow an unauthenticated remote attacker to capture the cookie by intercepting its transmission within an http session. Fixes are available in HCL Domino and iNotes versions 10.0.1 FP6 and 11.0.1 FP2 and later.
CVE-2020-4129
PUBLISHED: 2020-12-01
HCL Domino is susceptible to a lockout policy bypass vulnerability in the LDAP service. An unauthenticated attacker could use this vulnerability to mount a brute force attack against the LDAP service. Fixes are available in HCL Domino versions 9.0.1 FP10 IF6, 10.0.1 FP6 and 11.0.1 FP1 and later.
CVE-2020-9115
PUBLISHED: 2020-12-01
ManageOne versions 6.5.1.1.B010, 6.5.1.1.B020, 6.5.1.1.B030, 6.5.1.1.B040, ,6.5.1.1.B050, 8.0.0 and 8.0.1 have a command injection vulnerability. An attacker with high privileges may exploit this vulnerability through some operations on the plug-in component. Due to insufficient input validation of ...
CVE-2020-9116
PUBLISHED: 2020-12-01
Huawei FusionCompute versions 6.5.1 and 8.0.0 have a command injection vulnerability. An authenticated, remote attacker can craft specific request to exploit this vulnerability. Due to insufficient verification, this could be exploited to cause the attackers to obtain higher privilege.
CVE-2020-14193
PUBLISHED: 2020-11-30
Affected versions of Automation for Jira - Server allowed remote attackers to read and render files as mustache templates in files inside the WEB-INF/classes & <jira-installation>/jira/bin directories via a template injection vulnerability in Jira smart values using mustache partials. The ...