While ransomware attacks like those against Colonial Pipeline and Kaseya are grabbing headlines in 2021, the true kingpin of cybercrime remains phishing in its most sophisticated form: Business Email Compromise. Phishing and BEC constitute two sides of the same coin, whose illicit currency is built on tricking people over email into a malware-infested click or a more complex con.This 2-part article series on BEC attacks explains:
We’re seeing a simultaneous rise of both phishing and BEC attacks. The democratization of phishing, in combination with highly customized Business Email Compromise attacks, indicates that the phishing industry (and yes, it is an organized global industry) is expanding operations in both its generic mass-email format as well as its highly targeted variants. This has resulted in different kinds of BEC innovation that exploit existing systems and applications, on top of increasingly clever and well-planned BEC attacks.What is BEC?BEC is an advanced deception. It uses a sophisticated series of steps to ultimately trick someone into providing valuable information or moving money directly into the scammer’s bank account. BEC is also known as Email Account Compromise, Wire Transfer Fraud, and CEO Fraud because the scam often begins with someone posing as the CEO and ends with a fraudulent direct transfer of funds.The target can be anyone at the executive level. It’s hit private individuals, governments, companies, and celebrities alike. The FBI’s 2020 IC3 report, released in March 2021, reports BEC swindles organizations out of more money than any other form of cybercrime, by far. The FBI received 19,369 complaints with reported $1.8 billion in losses in America due to BEC in 2020. The numbers have been climbing dramatically with the pandemic and are likely higher in reality, as not all businesses report successful BEC attacks.In May 2021, the San Francisco chronicle reported that $650,000 was stolen from a charity for the poor in a month-long BEC attack that ultimately redirected an invoice payment to a fraudulent account.Generic phishing attacks also use email and social engineering, but their content is comparatively simple and random. Traditional phishing attacks are all about volume. Huge numbers of a single malicious email are blasted out; the attacker knows that some will trickle through security filters and into the inbox of someone prone to click on a malicious link or attachment.
The democratization of phishing has followed the recent explosion of PhishingKits. Their popularization, along with ransomware as a service, has contributed to the cybercrime as a service movement, which has removed technical barriers from phishing campaigns to make them possible for anyone, anywhere, to execute. Meanwhile, Business Email Compromise (BEC) attempts have doubled in the last three years. And that’s only the reported cases. Unfortunately, companies can be incentivized to hide such attacks in order to protect share price, brand image, and consumer trust. Many successful scams go unreported.Since a BEC attack hijacks a compromised account, it can be hard to recognize. Let’s go through a typical BEC attack flow and what each step means for you and the attacker.
The attacker performs reconnaissance and chooses who to target, from what company, and when. Some attackers even use widely known lead generation services to generate a pipeline of potential victims. Usually the attacker uses Open Source Intelligence (OSINT) techniques to scrape data from public sources, for example by manipulating google’s search engine techniques.Defense tip: Keep your personal information on the internet as restricted and private as possible. Social media, for example, is fertile ground for hackers gathering personal information that can and will be used against you. Keeping LinkedIn, Instagram, and Facebook profiles private makes it harder for them to find and use relevant information, such as your email and job description, or recent activities.
Once the attacker has your email address and other relevant information, they then validate the different target profiles and emails. Basically, they find out who has a valid and/or responsive email address. There can be multiple tactics in the validation phase, one of them being a simple blank email. Why? First, a blank email would trigger an automatic email response were it not valid, helping the attackers easily cross names off their list. Here is how that automatic response might look in the Microsoft Outlook email application:
Second, the attacker may enable the “Read-receipt” function to receive a digital receipt when the email is opened and “read.” They’ll know that email is live. Finally, if the target never responds to the email because of a mail flow rule, then it is also assumed that the email is valid and active.
After validating target emails and crossing out the unresponsive ones, it is time for the attacker to test their BEC technique and craft the email message. The goal of a spoofed BEC attack is to find the right time, tactic, and contextual information to trick the recipient into giving away credentials that will launch a BEC attack.
The attack chain outlined above is a spoofed BEC attack flow; it’s not the most dangerous BEC attack vector. If the attacker is able to extract email credentials from a victim, things get truly dangerous. This is the point at which the attacker enters a jungle of reconnaissance and hiding, sneaking through the system for as long as possible to gather valuable information as for future attacks. According to some reports the gap between an actual breach and its discovery can be up to 220 days. Read that again. 220 DAYS! That gives the attacker incredible leeway to steal sensitive information and to time, plan, and execute the attack. During this planning phase, the attacker maps the organization, its communication channels, org chart, and processes. All this information forms a powerful overview of the company and enables a potent tactical strike on the right person, at the right moment, with the right message. Essentially, being a ghost in a corporate system is like going to information-heaven for the attacker. Read the next part in the series to learn how to keep those ghosts from haunting your house.
*We are limiting our scope of discussion to BEC attacks and the email attack vector. There are multiple other horrible things that can be done if an attacker steals an employee's credentials, with a BEC attack being only one of them.