Hundreds of thousands of dollars lost. Financial and emotional ruin. And in some cases, suicide. These are some of the outcomes business email compromise (BEC) attacks have on victims, said Ronnie Tokazowski, senior threat researcher with Agari.
These type of attacks don’t garner the same attention as high-profile hacks, he said. Why? Because BEC attacks are simple – yet potent. Instead of having to develop malware or complex attack chains, all attackers need to do is send an email – usually mimicking a coworker’s email account or using a compromised account – and con victims to wire transfer money, for example. But the fallout from these types of attacks are devastating.
Worse, BEC actors are “growing up” – evolving into more sophisticated actors with novel techniques. And it’s working, according to Agari. The average amount requested in wire transfer-based BEC attacks increased in 2020 from $48,000 in the third quarter to $75,000 in the fourth quarter, .
In this Threatpost one-on-one video interview, Agari’s Tokazowski walks us through some of the worst BEC attacks he’s seen – and why these type of email attacks are getting worse.
Below find a lightly edited transcript of the video.
Lindsey Welch: Welcome to Threatpost Now. This is Lindsey Welch with Threatpost, and I’m joined today by Ronnie Tokazowski, who is the senior threat researcher with Agari. Ronnie, thanks so much for joining me today.
Ronnie Tokazowski: Yep, thanks for having me.
Business Email Compromise Attacks During Covid-19
LW: All right, great. Well, a lot has changed over the past year, including us being remote. But a lot has also changed on the security front. And particularly as it relates to business email compromise, or BEC, which is an extremely prevalent email attack that we’re seeing, and we have seen over the past few years. So I mean, BEC continues to kind of be a thorn in the side of companies right now, especially during the pandemic, is that what you’ve been seeing lately?
RT: Yeah, that’s very much what we’ve been seeing lately. And with just with everyone being more remote, everybody being working from home, it’s like email security is even more important now. BEC just in general is just constantly going up and up. And there’s more scammers realizing it’s easier to ask for money than it is to go and try and get somebody to click on a piece of ransomware. We’re just gonna keep getting more and more losses on this.
LW: Right, right. And I think the lack of sophistication that’s needed on the cybercriminal front is part of what makes this so dangerous, although there can be more sophistication in certain attacks, but it’s certainly easy for an attacker to launch. And then people continue to fall victim to it. So definitely dangerous for sure.
RT: Yeah, and the interesting thing is, in terms of the tools that they’re using, they’re not using like really sophisticated hacking tools. A lot of times, they’re using regular lead-generation services, just like our marketing teams use and everything. And the reason that they use that is so that they can go and figure out, “Okay, I’m going to target a controller of this account, I’m gonna go and target this CEO, or I’m gonna go try and send a phishing email to the CFO and see if I can get money out of them.” And again, it’s just as simple as “Hey, can you wire something for me?” “Okay.” That’s your BEC attack, as opposed to trying to go and make a new strain of malware.
LW: Right? It’s almost like easy money, for sure.
RT: It’s funny that you use the words easy money, because on the ground, that’s what scammers call things like this, things like unemployment fraud, easy money. That’s actually the exact word that they use for this.
LW: Right. Yeah, that’s funny. I’m curious if you’ve seen any more pandemic-related types of hooks being used, speaking of unemployment, fraud, or whether it’s kind of been continual romance scams and some of the other things that we’ve seen in the past? Are you seeing anything new crop up due to the pandemic?
RT: Yeah, so specific to COVID-related themes, one of the things we saw was a group of ours called Cosmix Lynx. And for a little bit background on them, they’re a BEC group that we believe is out of Russia. And we initially released a report for them going back in July of 2020, but one of the themes that they started using, was that they were actually referencing Covid-19 vaccines. So one of the things with this group that’s really interesting with them, is that they very much are familiar with the pop culture, they’re familiar with what’s going on in the media. They’re familiar with what’s going on in the world. And they will specifically use those references and words, in order to try and socially engineer people, in order to try and get more money out of them. It’s something where it’s not just your sophisticated actors – like Cosmic Lynx – that we’ve seen doing this. It’s something where we’ve seen this all across the board for BEC actors. We’ve had multiple cases where BEC actors will either reference Covid-19 by saying, “Hey, we need you to go ahead and go do this,” suddenly, this gift card is related so we’re gonna reward the employees. We’ve seen other cases where with romance victims are also engaging with them, also using Covid-19 related themes. So it’s something where all across the board threat actors have kind of updated their templates, updated their documents to kind of reference all things Covid-19 by now.
Common Covid-19 Vaccine Email Attack Lures
LW: Yeah, yeah. And I’m curious, can you walk us through what a particular email attack would be, looking at, for instance, if lure about vaccines was used, what would that look like?
RT: Yeah, so for the case of BEC, a lot of the way that the lure works is they’ll say, “Hey, here’s this vaccine and whatnot. We’re trying to go and do other related things just around trying to get this money moving,” and especially in the case of Cosmic Lynx, they would go ahead and make references to that. They would use that as a way to help build up the rapport, build up the way that they were working in order to try to get more money out of people. And specifically with Cosmic Lynx, that’s one of the things that they would do is by using things like the Covid-19 vaccines, they would try and build that rapport and build that relationship and build that trust with the user, so they could then start manipulating and socially engineering people in order to steal more money from them, essentially.
LW: Right, and I’m sure with kind of heightened anxiety and stress about Covid-19, it’s unfortunately a perfect way to play on people’s emotions.
RT: Yeah, and that’s a lot of the reason that you have success with romance scams, a lot of the reason you have this level of success with business email compromise is because when your scammer goes to send those emails and deliver those attacks, they’re playing on that fear of, “hey, I need to go ahead and do this, or I’m gonna get fired,” they’re playing on the urgency of things like, “hey, I need you to do this really quickly.” And in the case of Cosmic Lynx, they would actually use legal and law firms as part of their lures. And by using that legal and law firm, not only do you have that fear and anxiety, now, you’re able to add a level of confidentiality to that. And that’s one of the biggest things, one of the most interesting things that we saw with Cosmic Lynx, was they are able to play on that confidentiality. And by impersonating law firms, it’s something where they’re able to make it seem even more like “Oh, you can’t tell anybody about this.” So now it becomes that secret between that person who’s the authority being that scammer, and whoever they’re engaging with. And if that confidentiality is broken, I might lose my job. And it’s something where by playing on those fears, by playing on those emotions, that’s how a lot of these actors were able to be more successful on BEC. The most interesting thing with Cosmic Lynx is that with them doing that, they’re able to ask for even higher amounts of money than we’ve seen with previous BEC actors. And they’re very much one of those one BEC groups that’s figured out, “hey, if I play on these emotions, that I can have a lot more success on that.”
Money Wire Transferred During Email Attacks on the Rise
LW: Speaking of that higher amount of money, Agari came out with some new data that found that the average amount that’s being requested in wire transfer BEC attacks has increased from $48,000 in the third quarter to $75,000 in the fourth quarter. So can you break down those figures? How does this compare to previous years? And it sounds like this is also stemming from Cosmic Lynx and these new tactics around confidentiality and other TTPs that they have as well. So what are you seeing there?
RT: Yeah, so I’ve been I’ve been tracking BEC since about 2015, and in previous years, it was something where you might have an actor who’d asked for, like, $10,000, here, or $5,000, here. And initially, in the BEC threat landscape, they were asked for smaller amounts. And the reason they were doing that back then was because they were just trying to test the waters and trying to see how successful they would be. As time has progressed, they’ve discovered that they can start asking for more and more money. And that’s what we’re seeing here, is we’re seeing this constant growth and this constant development of it. Going back for numbers actually came out of IC3, to kind of help backup our data on this, IC3 released some stuff going back in 2019, that business email compromise was responsible for over $26 billion in losses. And that’s not “Hey, an attempt here.” That’s like actual money that went out. There’s a victim tied for every single penny of that. And when you expand that out even more, that doesn’t include things like romance scams, it doesn’t include things like check fraud, that doesn’t include things like the gift card fraud side of things. So the problem with business email compromise is, I hate to say it, but we’re really much in the infancy of just understanding how this crime works. And we’re in the infancy of actually responding to a lot of this stuff and everything. And in the case where we could go and look at historically the last five years, $26 billion went out and everything, the losses are just gonna keep going up from there.
And when you actually start comparing it to other types of cyberattacks, such as ransomware, or like the Emotet takedown that most recently happened, with a lot of those scams and a lot of those attacks that got taken down. Many of the numbers have been thrown around would maybe be $100 million here, $250 million here, as damages as a result of taking those down and everything. And for me, at the end of the day, I really struggle with that. Because it’s something where I’m like, it’s great that we went and took those ransomware attacks down. It’s great that we went and protected $100 million and everything, but on the business email compromise side. It’s like we have losses in the billions. We have victims all across the globe on this stuff, with the number from IC3 I think was like 90% of the globe was affected by that. Going back specifically to Cosmic Lynx, we’ve actually seen them target 52 different countries on this. And we’ve actually seen them writing native French, Japanese, English and Finnish. I mean, that’s just the couple instances that we’ve seen. And when I say native, I’m not talking like, okay, it’s someone who’s trying to translate it using Google translate it, it’s, we give it to somebody who is fluent in that language. And they’re like, yep, that’s exactly how that certain word and that certain grammar should be.
So right now with the losses and everything, it just keeps going up and up and up. And as it stands right now, there’s really nothing stopping it from keep continue going. And that’s what scares me and keeps me up at night, is just seeing all this damage from business email compromise, and realizing, okay, we just had $26 billion over the last five years that went out and tried to put that into context, when you start relating it to a lot of other crimes out there as well.
Protecting Against Email-Based Security Attacks
LW: Yeah, I think you bring up a good point, which is that, law enforcement and even the media, I mean, I can speak for my own industry, but other industries pay a lot of attention to the ransomwares and the Emotets of the world. And BEC gets left in the dust a lot just because of how simplistic or easy it is to launch is. What do we need to do to kind of get more on the defensive side against this type of attack?
RT: I think the first thing that we need to do is we need to start understanding how this works. And the reason I say that is because with a lot of people, and this is something where I see this in media all the time, when people go and try and address business email compromise, they address it as just this little piece of the email and everything. What they fail to realize is they don’t account for the things like the bank account that’s inside of that. Where did that bank account from come from? Almost 100% of the time that we’ve seen, that’s either a money mule or romance victim. How did that romance victim now get engaged within everything, that romance victim is now dealing with the scammer over here. So now, this business email compromise that you’re looking at, now becomes a case of romance scam. In looking at some of the studying that we’ve done over the years looking at other type of related scams too, the same actors aren’t doing just BEC, they’re also doing check fraud. They’re doing money laundering. They’re forging documents, they’re forging passports, they’re forging government information, they’re doing unemployment fraud, they’re doing W2 fraud, they’re doing IRS scams. And like I could seriously sit here for the next half hour and list off all the other things that these actors are doing. But at the end of the day, that’s the biggest thing we have to understand is we have to understand that business email compromise is just a symptom of something that we’ve been trying to track for the last 30 years. It’s all 419 scams, the same thing that used to be that we use a mock for being Nigerian prince scams, that we used to joke about and everything, that decided to grow up and put their big boy pants on, and now they’re now they’re dabbling with the Russians in order to start stealing billions of dollars.
And that’s kind of just the reality of the situation right now, the biggest problem with fighting BEC is that we just need to understand that all of these things are related, and in order to try and figure out how you go forward with that, that’s what we need to do right now, is we need to figure, “Okay, all of these things are related.”
And the analogy I like to give on this when making a reference to romance scams, because I’ve gotten flack on this just professionally. People are like, “Ronnie, romance scams have nothing to do with business email compromise.” By ignoring a romance victim, it would be the same thing as a malware analyst saying this IP address isn’t important. This unique registry key isn’t important. At the end of the day, that’s all infrastructure. And it’s something where unless you fully understand that holistic view of that, you’re gonna make no headway on it. And that’s how we that’s how we have to think of BEC going forward is kind of that holistic view, if you will.
Cosmic Lynx: When Business Email Compromise ‘Grows Up’
LW: Yeah, I like your phrase about kind of the Nigerian prince scam growing up, because I do think that’s what’s happening with Cosmic Lynx. And, you know, when it was first discovered the reason that really it was set apart from other BEC groups is that it comes from Russia, and but just the level of sophistication to that, I think this group is making people realize that BEC groups can have that impactful, damaging harm to companies, and they are growing up, so that’s a good point to make for sure.
RT: Yeah, one of the interesting things with Cosmic Lynx to kind of play on their level of sophistication, they understand a lot of these security processes, how all of this infrastructure works. And what I mean by that is, as network defenders, we have certain specific things that we will go and look at, in order to define if something is our attack or whatnot. So when or if there is something is a little fishy, and with Cosmic Lynx, one of the tactics that they’ve started using recently is trying to impersonate secure Amazon infrastructure, they’re starting to impersonate a lot of that infrastructure in order to make it look more legitimate. So that when it gets into your users’ inbox, and they look at the subject, and they look at where it came from, like we tell every single user to do, it’s like, “oh, it’s secure, it looks like it’s coming from Amazon. I know, Amazon, they’re a company, I buy stuff on there all day long. I bought stuff on there from Amazon the other day, and everything.” So it’s like we all know what Amazon is. And even before that, and everything, they were very much doing the same thing – they were impersonating other secure email gateways. And by building on that level of trust, that’s what Cosmic Lynx has figured out, they figured out that, hey, we can start going further on that level of trust. And if we gain enough trust, we will be successful. So they’re playing on the fear, they’re playing on the trust, and they’re playing on the confidentiality. And that’s the scary thing with Cosmic Lynx compared to a lot of other BEC actors, is they aren’t necessarily playing on those same emotions and those same human aspects, if you will.
LW: Yeah, I’m curious, do you see more Cosmic Lynx-type BEC groups cropping up in the future, that will continue to have this level of sophistication that we should be on the lookout for?
Novel Business Email Compromise Attacks in the Future
RT: I want to tell you, I really, really, really, really, really, really hope not. But unfortunately, the reality of the situation is yes, we’re gonna see more people doing this. We’ve been screaming this from the top of our lungs for the last five years that business email compromise is a problem. We have billions of dollars that have gone out on this, we have hundreds of thousands of victims and everything. And when especially when you look on the romance victim side – I hate to put it this bluntly – but there’s absolute carnage on that side. Like we’ve had cases where suicide has been an end result of this.
And we all get so upset, and we all become fear-mongering because a hospital gets encrypted because someone might lose a life. But something we’re on the business email compromise side, we’ve have lives absolutely devastated because of this stuff. And that’s what people don’t realize is they don’t understand the level of damage that’s actually happened because of this. And even taking a step back from the emotional side of it, actually looking at the money. It’s something where scammers are constantly getting more and more money as a result of this. And with more and more malware crackdowns, a scammer doesn’t have to go and create this super sophisticated sample of malware in order to try and break into an organization. All they have to do is send an email and say, “Hey, can you do a wire transfer for me?” That’s it. And that’s the reality of this. And more attackers are going to realize that they don’t need a payload, they don’t need a link or anything in order to continue doing this. And as it stands, and as the last two years have proven, it’s just gonna keep growing more and more and more.
Why is Business Email Compromise Such a Problem?
LW: Yeah, and I also wanted to highlight your point about the impact here, I think that it’s really important in all of these types of security stories to highlight the personal impact on the victims. And we’ve seen everything beyond corporations just from like charities to churches, all kinds of organizations be impacted by BEC. And I know you pointed to the romance scams, which really have that kind of heightened level of emotional damage there too. So I just think that’s important to highlight and to point out with BEC.
RT: Yeah, I’ve got I’ve got two stories for you on the on the emotional side of the alphabet and everything. So story number one was one case that we saw with Exaggerated Lion. We actually were actually out having dinner one night, and on one of the TVs that we saw up on there, where we were eating, they actually had to release information about someone who is arrested for $100,000 as doing a different business email compromise. And we were like, that name looks familiar. So we went back looked through our intelligence, and we discovered that it was actually a mule that we had been looking at. So what ended up happening with his story was he was arrested and put in jail for $100,000 in fraud. One of the places that he stole money from was the United Methodist Church. So when you go and actually look at that, that sounds absolutely horrible. But looking at our intelligence, in his case, he actually thought he was in a relationship with a woman named Peggy. So what Peggy was doing was … every time that he would go and move money, he thought it was for her inheritance. So every time that he would go and do that, and everything, every time that he would send money he never thought he was wiring it as part of fraud and everything. So as that went on, it was something where he just kind of kept sending more and more information, more money or whatnot. And he would do things like he would take pictures of his food. He would take pictures of his truck, it was something where this was the information we were looking at, he was hands down a romance victim by any stretch whatsoever. And to give you an idea of how indoctrinated this individual was, the scammer actually sent pictures. And it was one picture where it was a less formal picture, and it was a more formal picture. And the romance victim actually had a preference of the type of clothing that this that the person he thought he was a relationship with. He actually prefer the less formal version of it because this individual was in a more impoverished area. But he was in a more rural area. So it was something where he just preferred someone who was less formal, and the scammer actually convinced him to go take a check from three states away, deposit that into his bank account, and wait for the money to clear. And then he sent $15,000 in cash in a FedEx box to another state for the sole reason that he couldn’t get to a Bitcoin ATM, two and a half hours away. So yeah, it was something where that’s how far these people are indoctrinated.
So story number two and kind of reminiscing back to before Covid-19. Back when we used to meet in person. I got an Uber at Black Hat. It was something where I got to talking with the person who was the driver, and explained my theory and everything. I’m like, “I work with romance victims just as a part of this type of crime I fight.” She’s like, “funny that you mentioned that.” So she told me her life story. And in talking with her, she was in a romance scam for 10 years, she ended up losing her husband, lost her family, lost her house, her kids never wanted to talk to her again because of everything that happened. And the reason she was an Uber driver was because she had nothing else, her credit was shot by that point. I asked a little bit of a personal question – I’m like, “what made it so enticing for you to go and click into that?” And one of the things that she had told me was, she kind of got really quiet there for a second. And she was like, “Well, my husband was really abusive, and I just wanted to be loved.” So it’s something where the people have figured out that they’ve gone that far with a lot of the emotions in order to manipulate people, that it’s something where they’re hooking people on these different emotional strings with the romance victims and everything. And again, a lot of what happens is the romance victims are being told, “hey, go send this check, go do this wire transfer, before we go do this, go do that.” And as part of that, you see these people are being manipulated in order to kind of take that money out. And again, that’s what we’ve seen on the business email compromise side. And again, all these other Covid-19 scams have been coming in on that.
But on the Nigerian BEC side, what we’re seeing is we’re seeing romance mules being used heavily as part of that infrastructure. And then on the Cosmic Lynx side, where you have the more advanced side of it and everything. There’s still mules that are that are being used for that I’m not totally aware of, like what type of mules those are, because we’re still digging into that type of intelligence and everything. But specifically Cosmic Lynx, this crime just keeps growing is the reality of it. So it’s something where a lot of these things are a hard pill to swallow, but at the end of the day, this is just how it works.
The Victims of Business Email Compromise
LW: Yeah. And when you look at stories like that, too, part of the importance of looking at the BEC, and investigating what’s going on, and why this happens, is looking at the victims too. And why they click on certain emails and why they fall for these types of scams. So it’s definitely sad to have to deal with that. But it’s also important to realize what someone might be going through in their life to in order to fall victim.
RT: For sure. Yeah, yeah. And that’s very much what we have to understand is that there’s so many other things other than just BEC that’s playing into this. And it’s something where from the business email compromise side, like I said, it keeps growing every year after year after year. And it’s, there’s, there’s tons of numbers and look at there’s tons of events out there, it’s like we need to start doing something.
LW: I’m curious if you in the future, we’ll see kind of more awareness around BEC or is there anything to kind of look forward to or be optimistic about in terms of BEC?
RT: Yeah, so understanding the awareness piece, that’s probably the that’s one of the big things with a lot of the victims who end up getting pulled into this. What it falls down to is a lot of them just don’t understand the technology. They don’t understand the different aspects of it. And it’s something where it’s almost like how our parents had to talk with us saying, “hey, there’s strangers on the internet who want to go and do bad things and everything.” It’s almost like we have to go and have that talk with our parents and say, “Hey, there were strangers on the internet, who are going to tell you different things like to say hey, go wire this money over here. Go buy me this gift card,” or explain to them that hey, I have Microsoft calling me then that and explain to them it’s like no, Microsoft will not call you and everything. And that’s really what we need to do is we all need to really sit down and realize that this is just how a lot of stuff works. Once we understand how this stuff really works, then we can start realizing, oh, hey, that’s something that’s odd in there. And that’s something where that’s not how it’s supposed to be.
LW: Right, well hopefully that can happen. Ronnie, thank you so much for joining me today to talk about BEC attacks and what to look out for and what plays into them.
RT: Yep, thanks for having me on.
LW: Once again, this is Lindsey Welch with Threatpost. Don’t forget to subscribe to Threatpost’s YouTube page. And if you want to share your own thoughts on BEC attacks and Cosmic Lynx, please drop a comment below. Thank you.