Hackers turn to SMS messaging to carry out BEC scams

News by Rene Millman

Hackers carrying out business email compromise attacks are now trying to find out a victim's mobile phone number in order to initiate such attacks, according to new research.

Hackers carrying out business email compromise attacks are now trying to find out a victim’s mobile phone number in order to initiate such attacks, according to new research.
In a blog post published by email security company Agari, criminals are sending text to potential victims claiming to be their CEO. Once a recipient replies with their mobile phone number, the actor is immediately placed in a strong position.
"They’ve minimised the risk of the initial display name deception being noticed, and they have established a method of communication that, by its very nature, places greater expectations to make a more instantaneous reply than that of its email counterpart," said researchers.
Researchers said that in the US it costs no more than a few dollars (pounds) to set up a temporary US-based number, and there are many legitimate services which provide numbers relating to any state, and even any country, available both online and on Google and Apple’s respective app stores.
They added that using a US number also enables the actor to create a Google Voice number, which still proves to be extremely popular with non-US based cyber-gangs. 
"Features such as being able to create personalised greetings that can be assigned to specific callers makes the use of multiple personas easy to manage. You can also send and receive SMS messages directly from a computer, allowing the actor to remain within the environment from which they run the majority of their operations," said researchers.
Scammers then direct victims to buy gift cards and send them the codes via text. When the hackers have the codes, these are then converted into bitcoins via online marketplaces such as Paxful. The bitcoins are then laundered into money for the hackers.
Researchers at Agari said that to avoid becoming a victim, they should first check the sender’s email address and insist on a brief call before making purchases on behalf of someone else.
"As a final safety net, share concerns with a colleague or friend, especially if pressure is increased in unusual ways. As always, it’s better to be safe than sorry when dealing with these types of emails," researchers said.
Craig Parkin, associate partner, Citihub Consulting, told SC Media UK that using  SMS rather than email is another attack vector being used by cyber-criminals but the aim is the same - to catch someone off guard and have them perform an action that may give the criminals access to data or control of the device.  
"If firms are providing mobiles or allowing the use of personal mobile devices to access company information, there are many things a firm can and should do to secure the data on these devices. However, this might only allow certain mobiles that are up to date. Data residence and access should have appropriate levels of increased protection. Perhaps the best, and coincidentally the most difficult thing an organisation can do, is to raise the security awareness of the organisation so that its employees are aware that security attacks can come from anywhere," he said.
Corin Imai, senior security advisor at DomainTools, told SC Media UK that It would not be surprising to see criminal campaigns running over Slack or Skype. "Attackers are very clever when it comes to thinking about different ways to create a false sense of security in their victims, being that impersonating a trusted brand, another employee, and even choosing messaging platforms that feel more personal."
"The best advice against these attacks is to apply the same rules that apply to email phishing: not rush into clicking on links and always refrain from disclosing any personal information without ascertaining the legitimacy of the sender," she said.

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews