While Trojans, DDoS attacks and ransomware have dominated the news of late, another threat has risen sharply but kept a relatively low public profile. Business Email Compromise (BEC), also commonly but inaccurately known as ‘CEO Fraud', has become one of the most serious threats to organisations over the last two years. The FBI estimates that the global cost of reported BEC incidents to businesses to June 2016 was US$ 3.1 billion (£2.4 billion).
Attacks of this nature vary significantly in sophistication, but the basic aim and process remain constant; the attackers impersonate an individual in the organisation to convince another individual to transfer money to an account controlled by them.
The criminal first gains access to the email account of an individual they suspect to be involved in financial transactions in a company. This may be done using off-the-shelf key logging tools such as Hawkeye or Predator Pain, for example. The criminals them initiate a new email conversation or hijack an existing one to make changes to invoicing details or request a payment be transferred to an account controlled by them.
Some attacks may involve registering typosquatting domains, which are very similar to legitimate domains and designed to imitate legitimate organisations. These domains may simply contain common spelling mistakes or use letter combinations such as replacing the letter m with the letters r and n. While attacks of this nature don't require compromise of email accounts, they still pose a threat to organisations.
Conversely, some examples of BEC have proven complex in their execution, with perpetrators demonstrating knowledge of the business relationships between victim organisations and their clients or suppliers. These attacks can employ techniques such as interception of emails to hijack existing invoicing and payment processes and create exceptionally convincing forged documents, including the presence of signatures of company senior executives.
In a recent case investigated by Context, fraudsters impersonated email belonging to multiple parties in different organisations already engaged in a conversation regarding payments and invoicing. By impersonating these individuals, the fraudsters not only succeeded in redirecting substantial sums of money into accounts controlled by them, but also attempted to delay and mislead internal investigations into the missing funds.
Rise in popularity
BEC has been around for some time but there are several factors that have contributed to this new-found prevalence. While companies have become better prepared to deal with more common cyber threats, BEC incidents often don't involve malicious software, which makes them harder to detect.
Moreover, as the acts of impersonation and theft require limited technical skills, the bar to entry for criminals is lower. Compromised credentials can be bought readily on underground forums or extracted from public password dumps. Even in instances where malicious key-logger tools are used, these are often sold for trivial sums of money around £30 and come with builders, which enable even unskilled attackers to produce samples difficult for antivirus software to detect due to packing routines or obfuscation.
Perhaps the most important factor is that the attacks exploit weaknesses in the way many organisations, especially small and medium-sized enterprises, handle payments and use the victim organisation's internal processes to the attacker's advantage.
In the cases of conventional banking trojans, attackers can often only obtain relatively small sums of money per transaction without triggering fraud warnings at banks. In the case of Business Email Compromise, the individuals normally involved in making financial transactions become the proxies for the theft, bypassing bank security measures and restrictions designed to reduce the likelihood of theft. Therefore, incidents can result in losses of hundreds of thousands of pounds per transaction.
Cyber-security often appears unapproachable and unattainable for SMEs or businesses with limited resources, but these companies face the same risks as larger enterprises. There are a series of measures that even the smallest companies can put in place to help better protect themselves against BEC:
· Educating and training staff about the threat is vital. This is an issue all employees need to be aware of, not just a select few.
· Implementing a system and ensuring it is adhered to. This may include adding a multiple layered authentication approvals process for all wire transfers.
· To help combat typosquatting, organisations can register similar domain names that are variations of your company name.
· Implementing stricter identity controls that protect the details of key financial employees.
Most importantly, BEC victims often say that they felt uneasy during the fraudulent transaction and regret not acting on their impulses; If you suspect there is an issue, act on those instincts. Validate the identity of the individuals and the legitimacy of the transaction, ideally run additional checks outside of email and report your suspicions upwards. Don't wait until it's too late.
Contributed by Oliver Fay, lead intrusion analyst, Context Information Security
*Note: The views expressed in this blog are those of the author and do not necessarily reflect the views of SC Media or Haymarket Media.