Hackers keep improving their methods of compromising business emails
Employing English speakers and subverting ad redirect services are some tactics
How about reusing something already existing? As long as such scams remain lucrative, business email compromise attacks, or CEO fraud, remain among the most popular types of online-based crime.
The lure of BEC attacks is obvious: When successful, attackers will have tricked an individual, preferably in a larger business, into transferring money directly into an attacker-controlled account. In a successful attack, criminals can walk away with tens of millions of dollars, but executives who fail to prevent such attacks may lose their jobs.
Fraud complaints received by the FBI’s Internet Crime Complaint Center, or IC3, rose to a record-setting number, owing primarily to phishing attacks and business email compromise fraud, according to its latest annual Internet Crime Report.
The FBI reported a rise in BEC losses over the two years of 2019 to 2020 from $1.7 billion to $1.8 billion, an average loss of $92,932.
BEC attacks were the most common claim filed by policyholders during the first half of this year, accounting for 23% of all reported incidents, an increase of 51% compared to the first half of 2020. Coalition states that BEC incidents continue to be most prevalent due to email serving as the dominant attack surface for most organizations, noting that the average BEC claim in the first half of this year was $37,000.
Advertisement Redirect Service Violated
Regularly refining their tactics ensures that fraudsters have a greater chance of success. There has been an increasing number of BEC attacks featuring the COVID-19 virus throughout the pandemic.
Likewise, subverting legitimate services remains a favorite tactic of attackers to support their attacks.
According to incident response expert David Stubley, who heads Edinburgh, Scotland-based security testing and consultancy 7 Elements, BEC phishing emails are increasingly using redirect techniques to hide their landing pages.
An advertiser would set up a redirect service to support his or her campaign. Each time a user clicks a link, it goes to a destination defined by the customer, typically a landing page for the product or service being sold.
Stubley points out that these are legitimate in the sense that they are used to support multiple ad campaigns, but they can be repurposed when identified by malicious actors, she tells Information Security Media Group.
One of the recent campaigns he spotted, for example, redirected individuals to a fake Office 365 site designed to steal their credentials.
For any organization that runs a redirect service, he also recommends they “review weblogs to check for malicious use.” Weblogs are potentially vulnerable to redirect services that are subverted by attackers, he says.
As part of a phishing campaign, Stabley has tried alerting the advertising network that it’s being subverted by BEC attackers.
The attackers are using legitimate services
It is not the first time attackers have used legitimate services to make their attacks harder to detect.
Attackers sometimes employ relatively low-tech tactics, many of which seem to be effective as well. In July, for example, Microsoft reported taking down 17 domains that were being used by a criminal syndicate operating out of West Africa, combined with stolen Office 365 credentials, to target individuals with BEC attacks.
Security researchers at Microsoft noted that the gang often used homoglyphs – or similar-looking characters – to fool users. The attacker would replace the letter “O” with a 0 – MICROSOFT.COM vs. MICROSOFT0FT.COM – which is easy for users to spot, according to the researchers.
Criminals often access legitimate accounts and spend weeks or months studying business processes and patterns before they strike – for instance, who is authorized to make a wire transfer, when will someone be on vacation – making it difficult to stop BEC attacks. Legitimate accounts allow attackers to pretend to be key individuals – for example, a vacationing CFO who claims to the accounting department that he forgot to make a wire transfer and needs to make it immediately.
Criminals look for partners
To attract new victims, cybercriminals regularly post ads on cybercrime forums – including Russian-language forums – to advertise for partners, especially if they target businesses in North America or Europe, a report from threat intelligence firm Intel 471 says.
An actor posted on a Russian-language cybercrime forum that he was seeking native English speakers for BEC social engineering elements after obtaining access to a custom Microsoft Office 365 domain in February, Intel 471 reports.
In many BEC attacks, the technology is relatively low-tech, but a campaign’s spelling and grammar matter. “The use of proper English is very important to these actors because they want their messages to their victims – primarily high-level employees of a company – not to raise any red flags,” Intel 471 says.
Money that has been stolen has to be re-laundered. Russian-speaking criminals have placed ads on cybercrime forums offering to launder sums as large as $250,000 through cryptocurrency tumblers – services that blend multiple transactions and distribute money in incomplete installments, making it difficult to trace the money. According to the report, the criminal was targeting relatively large businesses, based on the amount of money transferred.
Defending yourself is essential
It is beneficial to have proper defenses in place to thwart BEC attacks.
The report notes that through the use of spoofed email domains with a single difference in name, many BEC attacks can compromise a victim’s network and do not execute malware. Thus preventing malicious emails from ever reaching end-users remains paramount.
Security experts recommend using DMARC, which stands for domain-based message authentication, reporting, and conformance, as a defense. Using this standard can help organizations block spoofing and unverified email.
As per Bank Info Security, to arrest emails that do make it through, it is recommended to train employees with an understanding “of the techniques threat actors employ and key indicators that an email or sender is fraudulent” or inauthentic.
Recovery may be aided by quick reporting
IC3, a centralized repository of all such attacks kept by the FBI, can help resolve the problem if a U.S. business finds it has been a victim of BEC and has moved money to criminals via wire transfer.
One FBI agent credits IC3, for example, for alerting the Boston field office to a $1.8 million wire transfer after a business reported such a transaction. The FBI field office was able to successfully recover the entire sum after the early detection.
Use SD-WAN to secure your business networks
SD-WAN is an acronym for Software-Defined Wide Area Network. It is a term related to SDN (Software-Defined Networking), which is used by thousands of companies in the United States and elsewhere to connect various parts of their business to wireless networks.
By using SDN technologies, WAN connections can be managed more efficiently. There are several types of WAN connections, such as broadband, 4G, and LTE. This is done either through the internet or a private cloud-native network, which connects several business locations to a secure network.