Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

5/12/2016
10:30 AM
Tim Helming
Tim Helming
Commentary
Connect Directly
Twitter
LinkedIn
RSS
E-Mail vvv
50%
50%

Phishing Fraud BECkons: Will You Fall Victim?

Why one company got caught in a Business Email Compromise (BEC) Attack -- and how yours can avoid the same fate.

There has been a lot of news in 2016 about a particular species of phish, the so-called Business Email Compromise (BEC). In this scenario, the attacker poses as an executive of a company, asking someone--usually a subordinate employee--to perform a wire transfer or similar action. When the employee complies and completes the transfer, the company realizes--too late--that it has just given a large payment to a criminal. An investment company in Troy, Michigan, recently lost $495,000 from a BEC phish, so this is not a small matter.

It even hit close to my (professional) home: DomainTools’ CFO recently received a spear phish purporting to come from our CEO, asking her to make a wire transfer of funds. The sending email address was a clever look-alike of “domaintools.com,” using some substituted characters. Fortunately our CFO is very savvy and knew right away that her boss wouldn’t actually make such a request in that way. But it underscores how common this kind of BEC phish is -- and how easy it is for criminals to spoof legitimate emails.

Besides the obvious pain this causes to companies and their employees, this attack trend is troubling on many other levels:

Social engineering: The above example notwithstanding, collectively, people are still quite vulnerable to social engineering attacks. In the BEC scenario, the attacker is able to convincingly pose as the executive, and in the strongest examples, the fiction goes beyond the simple “from” address on the email. The attacker can comb through publicly available information to get details about the personnel and sprinkle these into the email, suppressing the victim’s defenses.

Corporate culture: Many companies still have a very hierarchical culture, and many executives expect prompt and, in some cases, unquestioning compliance, to requests. Promptness is not a bad thing by itself, but automatic obedience can be dangerous.

Messaging technology: Relying on email filtering to catch phony emails is dangerous. Many BEC emails sail right past such defenses because they don’t carry some of the payloads that can get them flagged (such as malware attachments, dangerous links, etc). Email filtering technologies are necessary, but not sufficient, to protect against spear phishes.

As in so many disasters (and the loss of millions of dollars to fraud would constitute a disaster for any firm), there is often a chain of events that had to occur in a specific way for the fraud to succeed. So there is a silver lining here in that each factor has potential mitigations that can disrupt the attack. Some are quite simple.

Social engineering can be thwarted via education. It’s not realistic to expect that 100% of such attacks can be averted, but any improvement is worthwhile. This is one of the places where employee education can pay big dividends. Social engineering is a human problem, not a technological one, so it must be answered in human terms as well.

As far as corporate culture goes, companies would do well to take a cue from the aviation industry, where many accident investigations have concluded that unquestioning compliance with (faulty) captains’ orders contributed to the disaster. Today, airline and military crew members are encouraged to challenge orders from a captain if they believe them to be dangerous or flawed.

There is a valuable analogy in verifying and, if necessary, challenging corporate orders that carry high stakes. It can be as simple as picking up the phone or walking to an office to ask the superior if the request is legitimate. If the subordinate employee doesn’t feel comfortable doing so, they may be able to find a co-worker who will. It could prevent a tremendous loss.

Messaging security, especially spam/phishing detection, has made many advances over the years, and helps cut the “noise level” of illicit emails tremendously. And, given the prevalence of BECs, it’s possible that detection of such emails will improve. From the forensics standpoint, the “from” email address will often contain a look-alike, illicitly registered domain, so that the attacker can carry out a chain of communications with the victim; such domains can in some cases be blocked before they have “fired their first shot.” But the bottom line is that automated detection will never reach 100%, so the other links in the chain have to be as strong as possible.

If the first few months are any indication, the info security retrospectives at the end of 2016 will cite BECs as one of the big stories, along with ransomware and critical infrastructure attacks. Let’s hope that those stories also contain accounts of successful foiling of BECs. It’s a realistic (if ambitious) goal, but it demands appropriate attention and action.

Related content:

Tim Helming, DomainTools Director of Product Management, has over 15 years of experience in cybersecurity, from network to cloud to application attacks and defenses. At DomainTools, he applies this background to helping define and evangelize the company's growing portfolio of ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Oldest First  |  Newest First  |  Threaded View
DerikK231
50%
50%
DerikK231,
User Rank: Apprentice
5/12/2016 | 11:45:44 AM
Amount Wrong
Hey, in this article it claims the spearphishing attack stole $495 million, I believe the amount was only $495,000. Please check this number and revise the article.
Kelly Jackson Higgins
50%
50%
Kelly Jackson Higgins,
User Rank: Strategist
5/12/2016 | 11:50:14 AM
Re: Amount Wrong
You are correct, @DerikK231. That has been corrected. Thank you!
7 Tips for Infosec Pros Considering A Lateral Career Move
Kelly Sheridan, Staff Editor, Dark Reading,  1/21/2020
For Mismanaged SOCs, The Price Is Not Right
Kelly Sheridan, Staff Editor, Dark Reading,  1/22/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment:   It's a PEN test of our cloud security.
Current Issue
IT 2020: A Look Ahead
Are you ready for the critical changes that will occur in 2020? We've compiled editor insights from the best of our network (Dark Reading, Data Center Knowledge, InformationWeek, ITPro Today and Network Computing) to deliver to you a look at the trends, technologies, and threats that are emerging in the coming year. Download it today!
Flash Poll
How Enterprises are Attacking the Cybersecurity Problem
How Enterprises are Attacking the Cybersecurity Problem
Organizations have invested in a sweeping array of security technologies to address challenges associated with the growing number of cybersecurity attacks. However, the complexity involved in managing these technologies is emerging as a major problem. Read this report to find out what your peers biggest security challenges are and the technologies they are using to address them.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-5226
PUBLISHED: 2020-01-24
Cross-site scripting in SimpleSAMLphp before version 1.18.4. The www/erroreport.php script allows error reports to be submitted and sent to the system administrator. Starting with SimpleSAMLphp 1.18.0, a new SimpleSAML\Utils\EMail class was introduced to handle sending emails, implemented as a wrapp...
CVE-2019-1517
PUBLISHED: 2020-01-24
** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was in a CNA pool that was not assigned to any issues during 2019. Notes: none.
CVE-2019-1518
PUBLISHED: 2020-01-24
** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was in a CNA pool that was not assigned to any issues during 2019. Notes: none.
CVE-2019-1519
PUBLISHED: 2020-01-24
** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was in a CNA pool that was not assigned to any issues during 2019. Notes: none.
CVE-2019-1520
PUBLISHED: 2020-01-24
** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was in a CNA pool that was not assigned to any issues during 2019. Notes: none.