How to deal with BEC attacks - harlan4096 - 18 March 20
Quote:
Companies worldwide regularly fall victim to business e-mail compromise attacks. We explain the danger and how to minimize it.
Cybercriminals are constantly on the lookout for new ways to attack companies. In the past few years, they have increasingly resorted to business e-mail compromise (BEC) attacks that target corporate correspondence.
The US Internet Crime Complaint Center (IC3) alone reported 23,775 such incidents to the FBI in 2019 — an increase of 3,500 from 2018, plus a rise in damages from $1.2 billion to $1.7 billion.
What is a BEC attack?
A BEC attack is defined as a targeted cybercriminal campaign that works by:
1. Initiating an e-mail exchange with a company employee, or taking over an existing one;
2. Gaining the employee’s trust;
3. Encouraging actions that are detrimental to the interests of the company or its clients.
Usually, the actions relate to transferring funds to criminals’ accounts or sending confidential files, but not always. For example, our experts recently encountered a request that appeared to come from a company’s CEO, with instructions to send gift card codes in text messages to some phone number.
Although BEC attempts often employ phishing-style tricks, the attack is somewhat more sophisticated, with one foot in technological expertise and the other in social engineering. Moreover, the techniques used are one-of-a-kind: The messages contain no malicious links or attachments, but the attackers try to trick the mail client, and thus the recipient, into considering the e-mail legitimate. It’s social engineering that has the starring role.
A careful harvesting of data about the victim typically precedes an attack; the perpetrator later uses it to gain their trust. The correspondence may consist of as few as two or three messages, or it can last several months.
On a separate note, multistage BEC attacks, which combine various scenarios and technologies, are worth mentioning. For example, cybercriminals might first steal the credentials of an ordinary worker using spear phishing, and then launch an attack against a higher-ranking employee of the company.
Common BEC-attack scenarios
Quite a few BEC-attack scenarios already exist, but cybercriminals are forever inventing new ones. According to our observations, most cases are reducible to one of four variants:
Fake outside party. The attackers impersonate a representative of an organization that the recipient’s company works with. Sometimes it is a real company that the victim’s firm actually does business with. In other cases, the cybercriminals attempt to dupe gullible or inattentive victims by pretending to represent a bogus company.
Instructions from the boss. Here, the cybercriminals create a fake message in the name of a (usually high-ranking) manager using technical tricks or social engineering.
Message from a lawyer. The scammers write to a high-ranking employee (sometimes even the CEO) urgently and, above all, confidentially demanding funds or sensitive data. Often, they impersonate a contractor, such as an external accountant, supplier, or logistics company. However, most situations that require an urgent and confidential response are of a legal nature, so the messages are usually sent in the name of a lawyer or law firm.
E-mail hijack. The intruder gains access to the employee’s mail, and either issues an instruction to transfer funds or send data, or starts up a correspondence with those authorized to do so. This option is especially dangerous because the attacker can view messages in the outbox, making it easier to imitate the employee’s style of communication.
BEC-attack techniques
BEC attacks are also developing from a technological point of view. If in 2013 they used the hijacked e-mail accounts of CEOs or CFOs, today they rely increasingly on successfully imitating another person through a combination of technical subterfuge, social engineering, and inattentiveness on the part of the victim. Here are the basic technical tricks they employ:
E-mail sender spoofing. The scammer spoofs the mail headers. As a result, for example, a message sent from phisher@email.com appears to come from CEO@yourcompany.com in the victim’s inbox. This method has many variations, and different headers can be changed in various ways. The main danger of this attack method is that not only attackers can manipulate message headers — for a variety of reasons, legitimate senders can do it too.
Lookalike domains. The cybercriminal registers a domain name that is very similar to the victim’s. For example, com instead of example.com. Next, messages are sent from the address CEO@examp1e.com in the hope that a careless employee will fail to spot the fake domain. The difficulty here lies in the fact that the attacker really does own the fake domain, so information about the sender will pass all traditional security checks.
Mailsploits. New vulnerabilities are always being found in e-mail clients. They can sometimes be used to force the client to display a false name or sender address. Fortunately, such vulnerabilities quickly come to the attention of infosec companies, allowing security solutions to track their use and prevent attacks.
E-mail hijacking. The attackers gain full access to a mail account, whereupon they can send messages that are almost indistinguishable from real ones. The only way to automatically protect against this type of attack is to use machine-learning tools to determine the authorship of the e-mails.
...
Continue Reading
|