Hacking the Business Email Compromise
BEC attacks are on the rise, but plain-old spoofing of business executives’ email accounts remains more prevalent.
Business email compromise (BEC) attacks are all the rage and on the rise. But it doesn’t necessarily require a full-blown BEC attack – where the attacker gets the business exec’s email account credentials – to scam an organization out of money. Sometimes all it takes is an old-fashioned spoofed email address.
The FBI recently warned that BEC attacks worldwide have racked up some $3 billion in victim losses, with the average loss at $140,000 per incident. Business email compromise (BEC) attacks – where cybercriminals get control of a business executive’s email account credentials and use the account to steal money from the victim organization – are increasing, as are similar but more simplistic attacks that spoof executives’ email accounts.
New data from email security provider Proofpoint shows a 45% jump in these types of scams overall. The firm studied some 45,000 attack attempts on its customers from October to December 2016 via email-account spoofing or full-blown email account compromises. Two-thirds of those attack attempts employed spoofed emails, and the other third, BECs.
Email spoofing is where an attacker creates or scrapes a real email domain with an email address that appears to come from the legitimate owner of the account. The spoofed email sometimes displays the legitimate email address, but the return address is actually different and masked behind the legitimate email account user’s name or address, for example.
In a BEC attack, the cybercriminal steals a business exec’s email account credentials in order to pose as that person to trick employees into wiring money or performing other actions on the “exec’s” behalf.
“Attackers are understanding that more than anything” the best weapon is exploiting the human factor to fool companies into wiring money to the bad guy’s accounts, says Patrick Wheeler, director of threat intelligence at Proofpoint. “It’s identity deception at its best. These techniques work.”
More than 70% of the spoofed and BEC emails Proofpoint found came with attention-grabbing subject lines like “Urgent” (30%); “Request” (21%); and “Urgent” (21%). And the targets weren’t all big execs from big companies. Some 15% went after small- to midsized businesses.
Of course these attacks are basically methods of social engineering and phishing, which long have been a popular initial attack vector for malware infections and data breaches.
Email spoofing is much easier to pull off and is often a precursor to a full-blown BEC attack. The two attack methods – spoofing and BEC – unfortunately sometimes get conflated, which can cause confusion. “If there’s no compromise [of an email account], it’s not BEC,” says Joe Stewart, director of malware research at SecureWorks.
Stewart and his research team have infiltrated several BEC and other similar scam operations to peek inside their inner workings. They have watched cybercriminals in some groups teaching one another how to employ these scams. His team has seen BEC schemes that net the attackers anywhere from $30,000 to $250,000.
“BEC is really difficult to spot, versus business email spoofing, which is really easy,” he explains. With a BEC, the email from the CEO to transfer funds actually comes from the real CEO’s account, which makes it harder to discern, he notes.
These types of attacks are growing at a steady pace, he says. “It’s easier to teach someone how to do business email spoofing than to do actual BEC. There are a lot more moving parts through BEC,” Stewart says. “It’s no surprise that there’s a faster growth rate for attackers learning email-spoofing. But I don’t think it’s going to stop there. It’s going to reach a peak … when spoofing is not as effective, and they will adapt” and learn BEC methods, he says.
Researchers from Trend Micro also have seen an increase in BEC activity in the past year. “At a very high level with BEC, we’ve seen an exponential lift in this type of attack,” says Ed Cabrera, chief cybersecurity officer for Trend Micro.
BEC scams are an increasing weapon used by cybercriminals in West Africa, according to recently published data from INTERPOL and Trend Micro. Cybercriminals out of that region from 2013 to 2015 stole an average of $2.7 million from businesses and $422,000 on average from individuals via various scams including BEC.
Duping is Easy
It’s a scenario that plays out far too easily: an employee in the finance department receives an email from the company executive instructing him or her to wire money in what appears to be a legitimate transaction request. By the time the victim organization realizes the transaction was a scam and the email didn’t come from the employee’s boss, the money is long gone as well as the bad guys.
But there have been a few high-profile BEC busts in the past year. Just last week, US Department of Justice announced that law enforcement has arrested a Lithuanian man for allegedly duping two US technology companies into wiring him $100 million over a two-year period. In this case, some of the stolen money was actually recovered, too, in the wake of the arrest.
Last month, the DoJ announced indictments of 19 suspects in a global money-laundering scheme that included the use of BEC and led to $13 million in losses. And in December, Nigerian national David Adindu and several accomplices were charged in a BEC scam operation that targeted thousands of victims and involved some $3.1 billion.
Chris Hadnagy, chief human hacker at Social-Engineer, LLC, says one of his firm’s higher education clients lost $30,000 to a multi-layered and multi-stage attack that included email spoofing of the victim’s CEO. An employee received an email with CEO’s spoofed email address ordering the victim to send the wire transfer ASAP. The attackers then followed up their phishing email with a voice call and posed as the CEO’s assistant to confirm the email message and ensure that the user sent the money to their account.
Hadnagy, whose firm consults and trains companies on protecting against social engineering ploys and attacks, says BEC attacks often begin with a blend of online intel-gathering, phishing, vishing, and or phishing and vishing combos – all to ultimately infect the victim and then hijack the business email account. The caller says “hey, I’ve got this invoice with your name on it coming to you,” and when it arrives, the victim then opens it and his or her system is infected with a keylogger or other malware.
“That [layered and combined] attack is what you’re doing to start seeing” with BEC attacks, he says.
He says cybercriminals are setting up actual call centers in Russia, Greece, and Uzbekistan, to support their vishing and BEC operations. They hire dozens of people who get paid about $3 per day and man the phones for various scams, including on that poses as the Internal Revenue Service demanding back tax payments. “As soon as they [the call center workers] get to the point where there are money transfers, they say ‘I’ll transfer you to my manager,'” and the call is handed off to another scammer who handles the money, Hadnagy explains.
BEC attacks don’t require malware infections, either: “Credential harvesting is becoming way more popular because it’s so easy to cull web pages and make them look realistic,” he says.
The social engineering expert warns that the next wave will involve vishing and mobile phone compromises. “With BYOD, it’s just a gold mine for an attacker. They compromise your phone while you’re at home and then you plug into the company network,” he says, and hijacked smartphone can be used as a rogue wireless access point, or its camera and microphone can be employed for spying purposes.
“SIP lines and a voice server are cheap,” he says. “The risk/reward its way too high. We’re going to see a massive increase” in these types of attacks, he says.
Training users about social engineering, phishing, email spoofing, and BEC attacks should be part of the routine for businesses, experts say, as well as regular system patching and software updates.
But one of the key technologies that can help organizations prevent such attacks is DMARC, the Domain Message Authentication Reporting & Conformance (DMARC) standard that verifies the domain of an email message, and can kill phony messages upon arrival so that only DMARC-authenticated messages are delivered to recipients’ inboxes.
Phil Reitinger, president and CEO of the Global Cyber Alliance, says DMARC basically helps make email trustworthy. “You can stop those spoofed email attacks with DMARC,” he says.
But that doesn’t mean DMARC stops all phishing attacks, he says. Just the ones that spoof a domain. “Attackers can still send an email from a lookalike domain.”