Business Email Compromise (BEC) , Cyber Insurance , Cybercrime

Attackers Keep Refining Business Email Compromise Schemes

Tactics Include Subverting Advertising Redirect Services, Hiring English Speakers
Attackers Keep Refining Business Email Compromise Schemes
A recent phishing email, as displayed to a recipient, uses a modified redirect service URL - appended here to bottom of image - leading to a fake Office 365 login page designed to steal their credentials. (Source: 7 Elements)

Why reinvent the wheel? Business email compromise attacks, aka CEO fraud, continue to be one of the most dominant types of online-enabled crime because such scams remain highly lucrative.

See Also: On Thin ICES: Augmenting Microsoft 365 with Integrated Cloud and Email Security

For criminals, the lure of BEC attacks is obvious: When they succeed, attackers will have tricked an individual, preferably inside a larger business, into transferring money directly into an attacker-controlled account. In a successful attack, criminals can walk away with tens of millions of dollars, while executives who failed to spot or prevent such attacks may get the sack.

The FBI, in its latest annual Internet Crime Report, says its Internet Crime Complaint Center, aka IC3, had received a record-setting number of fraud reports, in which phishing attacks and BEC fraud were the leading causes.

From 2019 to 2020, the FBI said reported BEC losses rose from $1.7 billion to $1.8 billion, for an average loss of $92,932.

During the first half of this year, cyber insurance provider Coalition reports that BEC attacks were the most common claim filed by policyholders, accounting for 23% of all reported incidents, which was an increase of 51% compared to the first half of 2020. "BEC incidents continue to be the most widespread as email is the dominant attack surface of most organizations," Coalition says, noting that in the first half of this year, the average BEC claim was $37,000.

Advertising Redirect Service Subverted

To give their efforts a greater chance of success, fraudsters regularly refine their tactics. Throughout the pandemic, BEC attacks with a COVID-19 theme have surged.

Subverting legitimate services also remains a favored tactic for helping attacks succeed.

"I've noticed an increase in BEC phishing emails using redirect services to hide the phishing landing page," says incident response expert David Stubley, who heads Edinburgh, Scotland-based security testing firm and consultancy 7 Elements.

Redirect services are set up by advertisers to support a campaign for a customer. Whenever a user clicks a link, it goes to a customer-defined destination, which typically will be a landing page for whatever product or service is being sold.

"These are legitimate in the sense that they are in place to support multiple ad campaigns, but clearly, when identified by malicious actors, they can be repurposed," Stubley tells Information Security Media Group.

The new campaign he recently spotted, for example, redirected individuals to a fake Office 365 site set up to steal their access credentials.

To defend against redirect services that may have been subverted by attackers, he says advertising networks need "ideally to be restricting redirected URLs to an 'allowlist' that gets set dynamically by each customer." For any such organization that runs a redirect service, he also recommends they "review web logs to check for malicious use."

David Stubley said he was able to take a URL generated by an advertising redirect service and modify it to send anyone who received it and clicked on it to an arbitrary site, such as his own business's website.

Stubley says he's been attempting to alert the advertising network that it's being subverted by BEC attackers as part of a phishing campaign.

Attackers Leverage Legitimate Services

This is hardly the first time attackers have used legitimate services to make their attacks more difficult to spot.

In June, Microsoft reported disrupting a campaign that used phishing emails sent from web service providers' addresses that contained both a voice message lure and an HTML attachment with JavaScript that mirrored a Microsoft login page. This was done in an effort to try to evade defenses and trick users.

Sometimes, attackers use relatively low-tech tricks, many of which apparently also work. In July, for example, Microsoft reported taking down 17 domains that were being used by a criminal syndicate operating out of West Africa, together with stolen Office 365 credentials, to target individuals with BEC attacks.

Security researchers at Microsoft said the gang often used homoglyphs - characters that appear similar - to help fool users. For example, attackers would replace the letter "O" with the number 0 - so, MICROSOFT.COM vs. MICR0S0FT.COM - which is easy for users to spot, they said.

One challenge for stopping BEC attacks is that criminals often gain access to legitimate accounts and may spend weeks or months studying business processes and regular habits - for example, who's authorized to make a wire transfer, who's going to be on vacation - before striking. Using legitimate accounts enables attackers to impersonate key individuals - for example, a vacationing CFO who claims to the accounting department that he's forgotten to make a specified wire transfer and needs to do so immediately.

Criminals Seek Partners

As criminals seek new ways to amass fresh victims, they regularly take to cybercrime forums - including Russian-language forums - to advertise for partners, especially if they're targeting businesses in North America or Europe, according to a new report from threat intelligence firm Intel 471.

Source: Coalition

For example, Intel 471 reports, "In February, an actor on a popular Russian-language cybercrime forum announced he was searching for a team of native English speakers for the social engineering elements of BEC attacks after they had obtained access to custom Microsoft Office 365 domains."

Many BEC attacks are relatively low-tech, but proper spelling and grammar can make or break a campaign. "The use of proper English is very important to these actors, as they want to ensure the messages they send to their victims - mainly high-level employees of an organization - do not raise any red flags," Intel 471 says.

Laundering stolen funds is another challenge. Intel 471 says one Russian-speaking criminal placed "an ad on a cybercrime forum, looking to launder sums as large as $250,000 through a cryptocurrency tumbler - a service that blends multiple transactions and disperses money to intended recipients in incomplete installments, which makes it significantly more difficult to trace." The amount of money being moved, it says, suggests that the criminal was hitting relatively large businesses.

Essential Defenses

Having proper defenses in place can, of course, help to blunt BEC attacks.

Noting that "many BEC attacks do not require access to a victim's network, use no malicious payload and simply may employ a spoofed email domain with a single letter differing from that of the business being targeted," Intel 471 says preventing malicious emails from ever reaching end users remains paramount.

One defense regularly recommended by security experts is to use DMARC, which stands for domain-based message authentication, reporting and conformance. The standard can help organizations block spoofed and unverified emails.

To arrest emails that do get through, Intel 471 notes that training employees so they have "awareness of the techniques threat actors employ and key indicators that an email or sender is fraudulent or inauthentic" also is essential.

Victims' reported losses in 2020 based on type of crime (Source: FBI)

Quick Reporting May Aid Recovery

If a U.S. business finds that it has fallen victim to a BEC attack and moved money to criminals via wire transfer, the FBI recommends immediately reporting that theft to IC3, which maintains a centralized repository of all such attacks.

One FBI agent's testimonial, for example, notes that after a business reported such a transfer, "IC3 proactively reached out to the Boston field office to alert us to a $1.8 million wire," and that "based on the early notification," the field office "was able to take the necessary steps to successfully recover the entire amount on behalf of the victim."


About the Author

Mathew J. Schwartz

Mathew J. Schwartz

Executive Editor, DataBreachToday & Europe, ISMG

Schwartz is an award-winning journalist with two decades of experience in magazines, newspapers and electronic media. He has covered the information security and privacy sector throughout his career. Before joining Information Security Media Group in 2014, where he now serves as the executive editor, DataBreachToday and for European news coverage, Schwartz was the information security beat reporter for InformationWeek and a frequent contributor to DarkReading, among other publications. He lives in Scotland.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing govinfosecurity.com, you agree to our use of cookies.