Modern-Day Whack A Mole: The Evolution of Business E-mail Compromise (BEC) Scams
I have an urgent message for you. The prince of Nigeria is attempting to transfer his money out of the country before a military coup, but he needs your help. If you can please provide me with your account number, the sum of $28 million UD Dollars will be wired to you overnight. We will ask you to transfer most of it to another account and you can keep 10% as a handling fee ($2.8 million US Dollars.)
Does this e-mail sound familiar? It should since practically every e-mail user has received these Nigerian 419 scams in their inbox at one time or another. While these 419 scams have turned into a joke in the InfoSec world, there are real life losses due to this type of fraud, typically by elderly, young, or non-tech savvy users. When the standard 419 scam lost efficacy with businesses, due to increased user awareness training, these scammers changed tactics into an attack format known today as business e-mail compromise (BEC). The premise of BEC is simple: go onto LinkedIn and identify who controls the money in an organization and craft an e-mail to that individual using a spoofed e-mail address from the CEO or an e-mail account that looks strikingly similar to one that would come from a high ranking official at the company. The e-mail typically has instructions to wire money to a vendor or a third party for acquisition and may include language that this transaction is "highly confidential" and to not inform anyone else of the transfer. According to the US FBI, there were over $12 billion US Dollars in reported losses due to BEC between 2013 and 2018. This figure does not include unreported losses, which the FBI expects to be 4 or 5 times the reported amount (Approximately $48 to $60 billion US Dollars.)
BEC also had its heyday until better user awareness training became available and mandatory for the finance department led to fewer people falling for the scams. The formation of the Internet Crime Complaint Center (IC3) group’s asset recovery team, part of the US FBI, has also taken a bite out of BEC scams. The recovery team touts a recovery rate of 75% of stolen funds if the FBI is alerted within 48 hours of the transfer. The asset recovery team has streamlined communications between law enforcement and financial institutions around the world to freeze or claw back stolen funds before the scammers can withdraw the amounts through the use of money mules. However, as Bruce Schneier always opines, attacks only get worse, they never get better and scammers have adapted to the changing landscape of BEC scams.
A typical attack does not spray and pray, hoping users will click on links or wire money to anonymous bank accounts. Attacks are becoming increasingly sophisticated and targeted. Scammers have learned that patience often pays off and running a long con will yield higher financial gains. One tactic that modern BEC scammers will use is to compromise an Office 365 account through the use of phishing, spear phishing, or credential-stealing malware. Once the scammers have this information, they can read the e-mail and view the calendar of the user. If the user is a CEO, the scammers can wait until the CEO goes on an overseas trip to visit suppliers, then send an e-mail to accounts payable asking for a wire transfer to a “new supplier” that was onboarded. Another example targets those in the real estate, escrow, and mortgage industry. The e-mail and calendar account of a loan officer is compromised and the scammers now know the identity of his or her clients that are about to close on a house. When the clients are expecting to receive wiring instructions to place their money in escrow, the attackers can send an e-mail with their account numbers and pocket the money. This attention to detail makes BEC highly successful for the scammers and costly for the victims.
Traditionally, BEC scams involve phishing attacks and credential stealing malware to gather information and set the stage for the perfect strike. Recently, security researchers have discovered a trend with BEC where scammers are shying away from credential stealers and towards Remote Access Trojans (RATs) to gather information on their targets and maintain persistent access. RATs prove to be more successful vis-a-vis standard credential stealers because RATs can allow attackers to gain access to other privileged information beyond just e-mail and calendars. They provide access to sensitive documents such as merger and acquisition plans, intellectual property, private keys, or personal information (social security numbers, bank account numbers, and the like.) This data can later be sold or leveraged for further attacks. Since the FBI’s IC3 asset recovery team has a higher success rate the sooner a loss is reported, attackers can launch a ransomware attack to take down the corporate network after the fraudulent fund transfers have taken place. The scammer hopes that an organization will be in recovery mode long enough for the money to clear before it is noticed and reported. Launching a distraction such as a ransomware outbreak or DDoS attack provides the perfect cover to buy time and is a simple process when the scammers have access to the corporate network.
BEC leverages a fundamental human weakness that has been growing over the last decade: the inability to pick up a phone and call someone. In many cases of BEC, merely picking up the phone to verify a transfer destination or that someone ordered the transfer would have prevented the loss of billions of dollars every year. When humans cannot be relied upon to detect and block these scams, security controls must compensate.
In 2018, the world’s largest security cloud saw a whopping 400% increase in SSL and TLS-based phishing attacks over the year prior. Many organizations are not inspecting SSL or TLS encrypted traffic for several reasons. Decrypting encrypted traffic is computationally intense and many hardware security appliances are not scaled to scan all encrypted traffic from all destinations without a lot of extra hardware. Laws governing user privacy can also conflict with security requirements. Approximately 80% of the traffic passing through the internet today is encrypted with SSL or TLS and that means organizations not scanning this traffic are only seeing 20% of the threats. The 80% of hidden threats include phishing attacks, malicious downloads, remote access trojans, and unauthorized data exfiltration. It is often said that an ounce of prevention is worth a pound of cure and protecting users before they fall victim to a BEC scam will cost a fraction compared to the potential losses.