BEC Scammers Seek Native English Speakers on Underground

Cybercrooks are posting help-wanted ads on dark web forums, promising to do the technical work of compromising email accounts but looking for native English speakers to carry out the social-engineering part of these lucrative scams.

Looking for work? Speak fluent English? Capable of convincingly portraying a professional – as in, somebody a highly ranked corporate leader would talk to?

If you lack scruples and disregard those pesky things called “laws,” it could be your lucky day: Cybercrooks are putting up help-wanted ads, looking for native English speakers to carry out the social-engineering elements of business email compromise (BEC) attacks.

Infosec Insiders Newsletter

It’s easy work, they promise: They’ll do the heavy lifting of getting unauthorized access to Microsoft Office 365 domains. All that their English-speaking conspirators need to do is sound convincing.

BEC: Cheap, Easy, Hugely Lucrative

BEC is one of the most expensive threat types: Costs associated with this particular scam flavor ramped up significantly in 2020, with more than $1.8 billion stolen from U.S. organizations as cybercrooks launched ever slicker attacks, either impersonating someone inside an organization or masquerading as a partner or vendor in order to pull off financial scams. That’s an enormous slice – 43 percent, according to the FBI’s Internet Crime Report 2020 – of the entire cybercrime losses for the year.

You can see why crooks love BEC attacks: These crimes don’t require a lot of technical know-how. By far the most popular gambit used are gift-card lures, according to Cisco Talos. Most often, phishing emails will come from a free service like Gmail, Yahoo or Outlook and will appear to be coming from someone important within the organization. The requests will often have a sad story or hardship wrapped up in the request and will try to get the victim to purchase Amazon, Google Play, iTunes and PlayStation or other common variety of gift card. The BEC emails are targeted at individuals: Usually those with email addresses published on a website or other company materials.

BEC Sets Up Shop in the Underground

But in spite of the low bar of entry, BEC threat actors haven’t been particularly active on the cybercrime underground, particularly when compared with actors that conduct more popular forms of cybercriminal activity such as ransomware attacks, the cyberattack style with the blistering growth rate.

“The BEC footprint on underground forums is not as large as other types of cybercrime, likely since many of the operational elements of BEC use targeted social-engineering tactics and fraudulent domains, which do not typically require technical services or products that the underground offers,” according to Intel 471.

On Wednesday, Intel 471 expounded on that. In an email to Threatpost, researchers pointed to  ransomware-as-a-service (RaaS) and compromised credentials as being two of the most popular categories of cybercrime, standing out “due to their impact on victims, resiliency, continuous innovation in tactics, techniques and procedures (TTPs), and more importantly, their capability to facilitate further cyberattacks and other forms of cybercrime.”

Comparitively, BEC attacks entail a lot less work, the intel firm said: “Many BEC attacks do not require access to a victim’s network, use no malicious payload and simply may employ a spoofed email domain with a single letter differing from that of the business being targeted.”

That’s changing, however. On Wednesday, threat intelligence firm Intel 471 reported that it’s spotted “notable actors” who’ve started to look for help to carry out a number of steps in the BEC attack chain, including gaining network access and social engineering. Another service is laundering ill-gotten booty via cryptocurrency tumblers: i.e., services that mix up potentially traceable cryptocurrency with others so as to rub out the trail that leads back to the fund’s original source.

In February, Intel 471 came across a threat actor on a popular Russian-language cybercrime forum who was seeking a team of native English speakers for the social engineering elements of BEC attacks, after obtaining access to custom Microsoft Office 365 domains.

In June, researchers came across another actor on a different forum who asked for the same thing: The threat actor posted help-wanted ads that “essentially outsourced the social-engineering work behind BEC, while the actor would take care of the related technical aspects,” they wrote.

Needed: Crooks to Mind Their Ps & Qs to Avoid Red Flags

Fluent, native English speakers are in demand because the North American and European markets are the primary targets for BEC scams, according to Intel 471. The crooks don’t want their proxies to come off like language-glitching Nigerian princes (although research has shown that even those once-risible attempts are growing increasingly sophisticated).

“The use of proper English is very important to these actors, as they want to ensure the messages they send to their victims – mainly high-level employees of an organization – do not raise any red flags,” according to researchers.

Speaking of Nigeria-based scams, the recent increase in pitches for BEC help posted on cybercrime forums has, as recently as two months ago, stirred up some actors who’ve been active in the past with BEC scams, researchers reported.

“A Nigerian-based actor that was linked to BEC scams in 2019 has resurfaced over the past few months,” they wrote. The actor responded to several of the advertisements Intel 471 discovered and also posted their own, offering BEC services and partnerships.

“Multiple posts made by the actor on several cybercrime forums were asking for help in obtaining email database access and credentials from Italy and the U.S., which suggests the actor was in the reconnaissance stage of planning BEC attacks,” Intel 471 reported.

Security analysts have viewed chats in which the actor has claimed that he’s pulled in $100,000/year from launched BEC attacks.

Tumbling the Funds

Cybercriminals are also looking on the underground for help in laundering the money stolen via BEC schemes. Intel 471 observed a Russian language actor place an ad on a cybercrime forum looking to launder sums as large as $250,000 through a cryptocurrency tumbler that dispenses funds to money mules in incomplete installments, which also “makes it significantly more difficult to trace.”

The fact that these cybercrooks need conspirators to launder sums up to six figures suggests that the scams are targeting large companies for fat payouts, Intel 471 observed.

English Just One Skill That Makes Crooks Money

English is just one of a “hotbed” of skills to be found on the underground that can make criminals money, Intel 471 said: “While it may not be as popular as credential theft or ransomware, the intelligence we’ve discovered shows that criminals will use the underground for all types of schemes, as long as those forums remain a hotbed of skills that can make criminals money.”

To help prevent against these persistently successful BEC attacks, Intel 471 offered a few tips:

  • Proper training for an organization’s email users. “Awareness of the techniques threat actors employ and key indicators that an email or sender is fraudulent or inauthentic can help reduce the threat of BEC,” they advised.
  • To keep potentially malicious emails from reaching the inboxes of employees from the get-go, Intel 471 suggested possible implementation of an email authentication protocol such as domain-based message authentication, reporting and conformance (DMARC) as a way to “differentiate legitimate, verified emails from fraudulent and unverified emails and spoofed domains, which may be used to launch a BEC campaign.”

090121 11:56 UPDATE: Added a link to the FBI’s Internet Crime Report 2020 as a source for the estimate that BEC makes up 43 percent of cybercrime losses, along with Intel 471’s comments expounding on which types of cybercrimes are the most popular.

Check out our free upcoming live and on-demand webinar events – unique, dynamic discussions with cybersecurity experts and the Threatpost community.

Suggested articles

Discussion

Leave A Comment

 

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Subscribe to our newsletter, Threatpost Today!

Get the latest breaking news delivered daily to your inbox.