Business email compromise (BEC) is a low-cost, effective cyber crime tactic that has increased within the past few years. BEC puts any company that manages financial transfers and payments at risk.
Consider this, recent research shows that on average, more than 6,000 organizations were targeted by BEC emails each month from July 2018 to June 2019. Businesses also received an average of five BEC scams per month during this time period.
In fact, one study showed that cyber insurance claims from BEC attacks were actually higher than those from ransomware incidents (23% vs 18% of incidents in 2018). Additionally, the 2018 FBI Internet Crime Report found 20,373 complaints related to BEC.
Let’s look at why these types of inexpensive, low-effort attacks are on the rise and how your business can stay protected.
What is business email compromise?
Business email compromise is a social engineering scam, typically targeting a company’s financial and procurement departments, that attempts to initiate a financial transfer to an attacker-controlled account.
Tricks to obtain account credentials and facilitate this type of transfer include:
Invoice payment requests
- Attackers may use a legitimate or falsified invoice from one of your vendors or suppliers to request a payment to an account they control.
- Attackers may pose as your CEO (or another high-ranking executive) in order to request a payment to an account they control.
These types of tricks or lures are designed for credential harvesting, attempts to grab user IDs and passwords using a range of social engineering techniques. Spear phishing is often used in credential harvesting to gain access, sending emails specifically to an individual at a business or organization to trick the recipient into sharing sensitive information or taking an action through links to malicious websites or attachments.
Tactics to produce transfers and payments
Once an attacker has established access they will often search the account(s) for emails or data that could be repurposed to solicit a payment. The legitimate account(s) is then used to correspond with internal or external contacts in order to initiate a payment.
Here are a few tactics frequently used:
Inbox forwarding rules
- Attackers create rules that will forward all (or select emails) to an attacker-controlled account. Even if a password for the compromised account is changed, attackers can still maintain access to email content. For example, an attacker might create a rule to forward all emails with the subject “invoice” or with a specific sender address (e.g. the email address of a client of the compromised company). Attackers may also create rules to hide correspondence between the account and other victims (both internally and externally)
- Typo-squatting is the process of creating a domain that appears similar to the domain of a legitimate service or company (e.g. g0ggle.com). In spear phishing, attackers will often use these domains in conjunction with credential harvesting interfaces — fraudulent login pages used to collect credentials from unsuspecting users. With financial redirection attacks, attackers may use these domains to continue correspondence when access to a compromised account has been lost.
- Our Field Effect team analyzed one typo-squatted domain case where once a password had been changed on a victim account, the attacker registered a domain similar to the targeted company and then continued to solicit false payments from the client of the targeted company.
- Lateral movement refers to the techniques used by attackers to move between corporate assets during a compromise (e.g. workstations, accounts etc). In a BEC attack, an attacker will often use access to a legitimate account to compromise other accounts in an organization or move onto other clients.
- In several cases of lateral movement, our Field Effect analysis showed that an attacker would send spear phishing emails to colleagues and clients of a compromised employee to gain access to a department or individual (e.g. an employee in payroll or a procurement officer) or an entirely new target (e.g. a partnering organization of the original compromised employee). Attackers may also distribute malware to other victims on the network (if not already used in the initial exploitation).
How can Field Effect ensure your business is protected?
With little cost and effort, BEC attacks can be executed against a target very quickly. Our Field Effect team recently managed an incident response case where the attacker had registered a typo-squatted domain to continue correspondence after the attacker had lost access to an account. Analysis of the domain registrant details revealed that the same email/registrant had been used to register similar domains for five other companies within a 30-day window of the incident we were investigating. The attacker even brazenly included victim information within the registrant details (e.g. using the company name of a victim and a compromised email as the contact details).
At Field Effect, we provide incident response and cloud monitoring services that can not only analyze the cause and extent of BEC attacks, but prevent future attacks. Our services will identify how the attacker gained access to launch the attack and also help you put preventive measures in place to stay ahead of attack attempts and keep your network secure.
Our team of cyber security analysts provide automated alerting to signal if inbox rules have been created on accounts. Our cloud analytics provide notification if potential type-squatting domains have been registered for domains that you own. These also monitor for authentication events to your user accounts from outside your company’s service/geographic area or from low reputation IPs (e.g. IPs or providers that have been used as part of malicious activity in the past).
Through our cloud monitoring capabilities, we can provide real-time alerting for suspicious events across your cloud solutions.
Do you have questions about monitoring your cloud solutions? Have you experienced a compromise and need to find out how it happened, remediate the damage, and put effective security measures in place? We can help. Reach out to us today at firstname.lastname@example.org.