“Turn around bright eyes…” was the lyric heard just as Rik Ferguson, VP of security research at Trend Micro stepped on stage this morning at Cloud Security Expo in London's ExCel Centre, to warn of what he described as business process compromise (BPC) attacks.
Ferguson kicked off with 2015 stats from the FBI on the topic of business email compromise (BEC) attacks, which he says is very similar to BPC attacks.
“Seventy-nine countries and 21,143 victims”, totalling a loss of around USD 3 billion around the world, said Ferguson. “This means a huge loss for victims, however a big profit for criminals.”
BEC attacks are where a criminal might look to imitate high-level senior staff, by email and using social engineering techniques, in order to get, for example, a CFO to sign off a large payment or handing over of details. “The attacker would assure the CFO that without the sign-off on this particular invoice, there would be grave consequences for the business,” explains Ferguson. “There are many variations on this, but all follow a similar structure”.
Ferguson asserts that attacks of this nature, “generally happen to companies which are used to transferring around large sums of money in order to conduct their business,” and “happens mainly in English-speaking countries”.
Ferguson goes on to list a number of real-world incidents, people who suffered BEC, and spoke of companies such as LeoniAG who lost 40 million euros, and AFGlobal who paid out 480,000 USD in response to being pressured by criminals to pay fake due diligence fees for a merger it was going through at the time.
Pivoting to explain what business process compromise is, Ferguson said it would essentially be an extra step in the process of business email compromise. So, instead of just sending emails laden with social engineering techniques to elicit a response i.e. sending money or signing a contract, it would be a more long-cong approach of gaining access to an email account, for example, and monitoring business processes to then hack the process instead of the person.
Ferguson warned that when conducting audits of businesses, there should be a further look into how the business operates. A great example he gave: if you know your CFO prints invoices or POs every Friday, you should ensure your network-connected printer is secure, not allowing the deluge of business information to pass through nefarious hands.
“BPS attacks often happen without any human interaction”, said Ferguson, who opined that the Tesco Bank hack was conducted by a BPC attack. “We don't know how, but we think the criminals monitored and injected themselves into the business process.”
Ferguson concluded: “If you compare the damage these attacks are doing in terms of money lost, and compare it to ransomware which caused a worldwide loss of around 1 billion USD in 2016, if you could pull off one of these every say five years, you're no longer interested with ransomware.”