96 percent of organisations were targeted by Business Email Compromise (BEC) attacks in the second half of 2017, primarily because such attacks did not include malicious payloads or attachments and also because hackers were quite successful in deceiving employees by using social engineering tactics.
In the past decade, organisations across the world had to grapple with targeted attacks that involved hackers injecting malicious attachments or URLs on e-mails to take control over enterprise IT systems or to target them with ransomware. Such attachments and links were cleverly disguised by making them appear as official documents, thereby luring employees to click on such URLs or to download infected attachments.
To tackle the threat, organisations began employing advanced e-mail security solutions such as Secure Email Gateways (SEG), Advanced Threat Protection (ATP) and Targeted Attack Protection (TAP) to identify and quarantine e-mails that contained malicious links and attachments. However, this tactic didn't last long as hackers were ready with their next big surprise.
The new weapon in their arsenal, named Business Email Compromise attack by security researchers, was unique in the sense that it did not involve the use of malicious codes or URLs unlike phishing scams of the past. According to Javvad Malik, security advocate at AlienVault, these attacks, "rely on social engineering tactics, so there is typically no malicious payload. These emails, appearing to originate by a legitimate partner or senior executive, give instructions to recipients to make payments or ship goods".
While phishing scams were mostly used to infect enterprise IT systems with spyware, ransomware and other types of malware, Business Email Compromise attacks are used by hackers to lure employees into transferring money to their accounts or to perform other tasks based on hackers' motives.
This new mode of email-based attack has been so successful that after analysing more than a billion e-mails that were considered safe by conventional security technologies, security firm Agari found that 96 percent of organisations were targeted by such attacks in the second half of 2017.
In fact, the FBI announced last year that between October 2013 and December 2016, organisations across 131 countries suffered as many as 40,203 successful Business Email Compromise attacks which cost them £3.74 billion in total.
"The BEC/EAC scam continues to grow, evolve, and target small, medium, and large businesses. Between January 2015 and December 2016, there was a 2,370 percent increase in identified exposed losses. The scam has been reported in all 50 states and in 131 countries. Victim complaints filed with the IC3 and financial sources indicate fraudulent transfers have been sent to 103 countries," the FBI noted.
According to researchers at Agari, there are three common types of Business Email Compromise attacks, namely deception, domain spoofing, and look-alike domains. While the first type of attack involves hackers using deceptive names with the intention of impersonating people known to victims, domain spoofing attacks involve hackers forging legitimate sending domains along with their delivery paths.
Look-alike domain attacks involve hackers using deceptive-looking domains which either look similar to domains that are being impersonated or domain names that appear authentic, like “homerefi-source.online” or “adjust-refinance.online”. Since traditional email security solutions were developed primarily to detect e-mails that contained malicious attachments and URLs, hackers have been able to evade them by using Business Email Compromise attacks on a large scale.
According to Javvad Malik, since these attacks have rendered traditional email security solutions virtually useless, organisations need to train employees to look out for and identify suspicious emails that make out of the ordinary requests. From a broader organisational perspective, it is important to have procedural controls that can prevent one single employee from making an error by segregating duties, so that one employee cannot make new payments on their own without a second pair of eyes.
"The final set of controls would be threat detection and response, coupled with threat intelligence that can help organisations gain insight into where attacks are typically originating from and take measures to block, or detect and respond as soon as an attack is launched," he adds.
Similarly, Tim Helming, director of product management at DomainTools, says that for organisations, "it is better to slow down a legitimate request than to comply with a fraudulent one". He adds that employees must double check emails before acting upon any of the content, particularly regarding financial transfers or decisions.
Lee Munson, security researcher for Comparitech.com, also said that in the absence of effective technical countermeasures against BEC attacks, staff training and awareness is of paramount importance to organisations.
"By highlighting how senders' email addresses can be spoofed, the types of accounts these attackers typically ask money to be transferred to, the sense of urgency in the messages and the difference in writing styles between a stranger and a colleague previously communicated with, employees will find themselves able to identify most such scams and will have the confidence to question all such requests," he says.