Business email compromise (BEC) attacks ramped up significantly in 2020, with more than $1.8 billion stolen from organizations with these types of attacks last year alone — and things are getting worse.
BEC attacks are carried out by cybercriminals either impersonating someone inside an organization, or masquerading as a partner or vendor, bent on financial scamming. A new report from Cisco’s Talos Intelligence examined the tactics of some of the most dangerous BEC attacks observed in the wild in 2020, and reminded the security community that in addition to technology, smart users armed with a healthy skepticism of outside communications and the right questions to ask are the best line of defense.
“The reality is, these types of emails and requests happen legitimately all over the world every day, which is what makes this such a challenge to stop,” the report said.
It’s easy to get hung up on the splashy breaches of major global companies. But the true revenue is being generated by smaller BEC attacks, the report said.
“Although a lot of attention gets paid to more destructive and aggressive threats like big-game hunting, it’s BEC that generates astronomical revenue without much of the law-enforcement attention these other groups have to contend with,” the report explained. “If anything, the likelihood of this has only increased in the pandemic, with people relying more and more on digital communication.”
Most Dangerous BEC Attacks in 2020
Gift card lures are by far the most popular in BEC attacks, Cisco Talos said. Most often, these emails will come from a free service like Gmail, Yahoo or Outlook and will appear to be coming from someone important within the organization. The requests will often have a sad story or hardship wrapped up in the request and will try to get the victim to purchase Amazon, Google Play, iTunes and PlayStation or other common variety of gift card.
If these scams sound like the classic “Nigerian Prince” emails of yesteryear, these phishing lures are similar with one specific distinction: The BEC emails are targeted at individuals, usually those with email addresses published on a website or other company materials.
“The amount of and types of businesses that get targeted with these attacks is truly staggering, ranging from huge multinational corporations down to small mom-and-pop restaurants in U.S. cities,” Talos said. “We found examples of small restaurants that are being targeted by impersonating the owners, since the information was available on their website.”
COVID-19 became a popular theme for some of the more despicable attackers. Some asked for gift cards for children orphaned by the pandemic, which another group in a gross attempt contacted an employee in a hospice unit and asked for donations for a supposed dying patient, with the promise they would be paid back.
“This truly shows there are no lows these actors won’t sink to to try and convince people to give in to their monetary demands,” Cisco added. “This is further illustrated by the successful campaigns we’ve analyzed and the ways these actors typically operate.”
Convincing a target to provide a phone number under the auspices of a scam acquisition was another tactic used by one group, more than one time.
The acquisition lure asked for the victim’s phone number with an email that appeared to be sent and received from the same company, but a closer look shows a slight difference between them.
The image has the company name redacted, “however, you can still see the reply-to address in the email (smtp-tls-outbound-eu-gateway@trustnet-gateway[.]cc),” Cisco said. The report pointed out if the recipient did, in fact, work in acquisitions, the risk would be ratcheted up significantly.
Cisco Talos first traced these acquisition-themed BEC attacks back to 2019, but added there are only a small number being sent out every several weeks.
Another effective tactic that BEC attackers deployed against organization leveraged support contracts, which usually serve to service purchased items. The threat actors would open support tickets or order replacement parts as a way into the target’s system.
“We started seeing a series of emails in mid-2020 with similar subject lines, all ending in ‘Logistics Support Request,’ with some acronym or company name at the beginning,” the report said.
Once the targeted employee responded, the attacker asked for payment under the support contract.
“In most of the examples we analyzed, the victim realized they were being scammed before they sent any money, but again, this is not always the case.,” the report said. “These actors typically just leveraged free email platforms, mostly Gmail accounts, to conduct these campaigns.”
Of course, since 2020, there have been all sorts of other BEC campaign themes observed by researchers, including lures with X-rated material and a recent, and since fixed, Microsoft Teams vulnerability that provided access to employee emails.
BEC Attack Protections
The report acknowledged that most of the attacks observed by researchers at Cisco Talos were in English, but that’s changing too. European, Asian and other language regions are starting to make their way into these attacks, and the report reminds companies which do business in multiple languages to flag terms in each of those languages to be filtered.
Another important mitigation is to tag emails from outside the organization with a subject line tag, like “[External],” as a signal to users to eye its contents with skepticism, Cisco Talos advised.
But it’s the trained, keen eyes of an organization’s employees that are the ultimate line of defense against BEC attacks. Beyond training, the Cisco Talos analysts suggested employees who can spot and stop these kinds of attacks should be loudly applauded within the organization.
“If you do have a user that stops these types of campaigns, reward them,” the report suggested. “They have saved your company a lot of potential loss, and by reinforcing the behavior, hopefully more employees will be willing to step up and stop these types of attacks from occurring.”
Join Threatpost for “Tips and Tactics for Better Threat Hunting” — a LIVE event on Wed., June 30 at 2:00 PM ET in partnership with Palo Alto Networks. Learn from Palo Alto’s Unit 42 experts the best way to hunt down threats and how to use automation to help. Register HERE for free.