[BreachExchange] We're Only Human: Why Business Email Compromise Scams Still Work

Audrey McNeil audrey at riskbasedsecurity.com
Fri Mar 30 10:05:52 EDT 2018


https://www.ibtimes.co.uk/were-only-human-why-business-
email-compromise-scams-still-work-1665594

Gone are the days of the Nigerian Prince scam, which is often discussed
anecdotally about how easy it is to recognize a scam and to joke about
those that fall victim. However, complacently believing that email scams
are easily discovered has opened the door for criminals to hone their craft
and target unsuspecting and unprepared victims.

What is the Human Factor?

Criminals have recognized that the user behind the computer screen remains
the most vulnerable security feature when attempting to compromise and
defraud a company or individual. Exploiting the 'human factor' can be done
simply and cheaply without using any special tools, malware, or technical
knowledge. With only a small amount of research, threat actors can
effectively impersonate a trusted source of a targeted company.

'Human factor' vulnerabilities are exposed by the inadvertent and
non-malicious actions of someone from inside a company, for example
clicking on a phishing link, misplacing unencrypted devices, or tossing
sensitive documents in the trash versus proper disposal. Attackers exploit
these vulnerabilities to get users to unwillingly conduct the attack for
them.

Human factors are a growing contributor to cyber-attacks, from both inside
and outside of the corporate network to steal confidential data or defraud
a company. The last time IBM analyzed this component we found that 95
percent of security issues were the result of humans. Human errors can
range from a misconfigured cloud server, poor patch management, to clicking
a malicious link in an email.

Although improvements to the IT processes may help mitigate system and
patch management, in the case of business email compromises (BEC), even
following security policies may not always protect employees and their
company from this threat. To conduct a BEC scam, it often only takes adept
social engineering to trick a user into making a cybersecurity error.

What is a Business Email Compromise Scam?

A BEC scam typically involves a threat actor taking over or impersonating a
trusted user's email account either through stealing email credentials or
creating domains with slight typos and generating email addresses similar
to the legitimate user's email address.

Companies that conduct international wire transfers have proven to be
attractive targets for BEC scams. The attacker's goal is to divert payments
to an attacker-controlled account or gain confidential information from the
organization, such as employee tax forms. These attacks can often be
carried out almost entirely based on phishing and manipulating people,
often those working in accounts payable, to perform illegitimate activities.

How Does the Attacker Conduct a Successful BEC Scam?

To be successful in BEC scams, attackers need to blend in with the
organization and employees they're targeting. Once the attacker takes over
a victim's email account, they create a false sense of reality targeting
accounts payable employees by mimicking previous conversations and copying
the victim's typical signature block to appear legitimate. The attacker
does this by researching previous email conversations so they can
communicate with very few grammatical or colloquial mistakes that are
otherwise a red flag in spam or phishing messages.

In many cases, attackers will create layers of obfuscation to keep the
compromised user unaware that their account is being used illegitimately.
For example, attackers will create email inbox rules, commonly used to help
clean-up an email inbox, to filter out conversations that might reveal
their malicious activities. The attacker will also modify email settings to
auto-forward conversations to their personal email so they can view the
messages without logging into the victim's account.

Once the attacker has built the foundations for a believable ruse, they
will impart a sense of urgency when requesting international wire payments
to a new account, often sending multiple follow-up emails. In some
instances, the threat actor will impersonate senior members of the
supervisory chain to make it appear that the supervisor approved the
transaction.

Why Do Attackers Use BEC Scams?

Attackers rely on exploiting the human factor via BEC scams for three
reasons. First and quite simply, it works. Attackers are seeing a growing
amount of success using malware-free BEC scams with reported losses rising
in orders of magnitude worldwide since 2015. Second, BEC scams are
relatively cheap compared to buying or building an exploit because BEC
scams can be done with little to no technical knowledge or special tools.
Finally, BEC scams which use compromised credentials to target victims from
within a trusted network are difficult to identify through traditional
detection platforms. The attack may be less likely to be foiled by
end-point detection, network sensors, or spam filters.

What Can Organizations Do?

Due to the relative success an attacker can have conducting BEC scams with
very little investment, the number of attacks and amount stolen over the
past couple years has increased significantly and will likely continue to
rise. To mitigate the risk of becoming a victim to these scams, companies
can immediately implement policies that address the 'human factor' through
both employee training programs and enhanced technical security features,
likely already available in their email client.

Employee training should focus on providing guidance on the tactics
attackers use to conduct BEC scams. Employees should validate email
settings regularly and scrutinize sender email addresses to look for email
address domains with typos such as an extra letter.

Since the attacker will also send emails directly from a compromised email
account, employees should watch for emails with unfamiliar grammar or word
choices, that are from personnel who seem suspiciously uninformed of
internal policies and company structure, and emails which make urgent
requests for international money transfers.

Additionally, creating banners that identify emails from external email
addresses and blocking the ability to auto-forward emails outside the
organization can increase the likelihood the attack is identified and
mitigated before any fraud can occur.

Organizations can implement strict international wire transfer policies,
for example, setting a time delay requirement for payment processing or
requiring employees to verify any bank account changes via calling the
phone number tied to the older and verified bank account.

Finally, the most important technical security feature a company can
implement is multi-factor authentication for account logins. Adding an
additional authentication measure would diminish the attacker's ability to
access email accounts with a stolen user ID and password.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20180330/7dc7c026/attachment.html>


More information about the BreachExchange mailing list